From 366d919016a679d3955f6fe5278fa7ce4f47b81e Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Tue, 3 Aug 2010 00:25:06 +0000
Subject: vorbisdec: Prevent a potential integer overflow.

If sizeof uint_fast8_t > 1 and sizeof size_t <= 4, the expression that mallocs
classifs  is susceptible to integer overflow.

Originally committed as revision 24675 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/vorbis_dec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'libavcodec')

diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
index 1772e55..b543f5c 100644
--- a/libavcodec/vorbis_dec.c
+++ b/libavcodec/vorbis_dec.c
@@ -103,7 +103,7 @@ typedef struct {
     int_fast16_t  books[64][8];
     uint_fast8_t  maxpass;
     uint_fast16_t ptns_to_read;
-    uint_fast8_t *classifs;
+    uint8_t *classifs;
 } vorbis_residue;
 
 typedef struct {
@@ -1267,7 +1267,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
     GetBitContext *gb = &vc->gb;
     uint_fast8_t c_p_c = vc->codebooks[vr->classbook].dimensions;
     uint_fast16_t ptns_to_read = vr->ptns_to_read;
-    uint_fast8_t *classifs = vr->classifs;
+    uint8_t *classifs = vr->classifs;
     uint_fast8_t pass;
     uint_fast8_t ch_used;
     uint_fast8_t i,j,l;
-- 
cgit v1.1