LadybirdBrowser/ladybird
1
1
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-09-21 18:37:58 +03:00
Code Issues Packages Projects Releases Wiki Activity

LibAudio: Set variable type for decoding fixed subframes in FLAC

Browse Source 
This fixes an crash caused by using the type from
FlacSubframeHeader::order (unsigned 8-bit), which after overflowing
the integer, converting it back to u32, and decrementing by one
resulted in accessing an array waaay out of bounds.
This commit is contained in:
Karol Kosek 2021-07-11 14:47:09 +02:00 committed by Gunnar Beutner
parent 93340685ed
commit 0c7a319e6b
Notes: sideshowbarker 2024-07-19 17:25:35 +09:00 
Author: https://github.com/krkk
Commit: https://github.com/SerenityOS/serenity/commit/0c7a319e6ba
Pull-request: https://github.com/SerenityOS/serenity/pull/8686
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Userland/Libraries/LibAudio/FlacLoader.cpp
View File

@ -684,27 +684,27 @@ Vector<i32> FlacLoaderPlugin::decode_fixed_lpc(FlacSubframeHeader& subframe, Inp
switch (subframe.order) { switch (subframe.order) {
case 0: case 0:
// s_0(t) = 0 // s_0(t) = 0
for (auto i = subframe.order; i < m_current_frame->sample_count; ++i) for (u32 i = subframe.order; i < m_current_frame->sample_count; ++i)
decoded[i] += 0; decoded[i] += 0;
break; break;
case 1: case 1:
// s_1(t) = s(t-1) // s_1(t) = s(t-1)
for (auto i = subframe.order; i < m_current_frame->sample_count; ++i) for (u32 i = subframe.order; i < m_current_frame->sample_count; ++i)
decoded[i] += decoded[i - 1]; decoded[i] += decoded[i - 1];
break; break;
case 2: case 2:
// s_2(t) = 2s(t-1) - s(t-2) // s_2(t) = 2s(t-1) - s(t-2)
for (auto i = subframe.order; i < m_current_frame->sample_count; ++i) for (u32 i = subframe.order; i < m_current_frame->sample_count; ++i)
decoded[i] += 2 * decoded[i - 1] - decoded[i - 2]; decoded[i] += 2 * decoded[i - 1] - decoded[i - 2];
break; break;
case 3: case 3:
// s_3(t) = 3s(t-1) - 3s(t-2) + s(t-3) // s_3(t) = 3s(t-1) - 3s(t-2) + s(t-3)
for (auto i = subframe.order; i < m_current_frame->sample_count; ++i) for (u32 i = subframe.order; i < m_current_frame->sample_count; ++i)
decoded[i] += 3 * decoded[i - 1] - 3 * decoded[i - 2] + decoded[i - 3]; decoded[i] += 3 * decoded[i - 1] - 3 * decoded[i - 2] + decoded[i - 3];
break; break;
case 4: case 4:
// s_4(t) = 4s(t-1) - 6s(t-2) + 4s(t-3) - s(t-4) // s_4(t) = 4s(t-1) - 6s(t-2) + 4s(t-3) - s(t-4)
for (auto i = subframe.order; i < m_current_frame->sample_count; ++i) for (u32 i = subframe.order; i < m_current_frame->sample_count; ++i)
decoded[i] += 4 * decoded[i - 1] - 6 * decoded[i - 2] + 4 * decoded[i - 3] - decoded[i - 4]; decoded[i] += 4 * decoded[i - 1] - 6 * decoded[i - 2] + 4 * decoded[i - 3] - decoded[i - 4];
break; break;
default: default: