Fix (unexploitable) buffer overrun when _m=1 during the cwrs table init, as
authorTimothy B. Terriberry <tterribe@xiph.org>
Sun, 12 Apr 2009 02:15:43 +0000 (22:15 -0400)
committerJean-Marc Valin <jean-marc.valin@usherbrooke.ca>
Sun, 12 Apr 2009 02:21:06 +0000 (22:21 -0400)
reported by Bjoern Rasmussen.

libcelt/cwrs.c

index f44fca1..ef179bd 100644 (file)
@@ -217,7 +217,8 @@ celt_uint32_t ncwrs_u32(int _n,int _m,celt_uint32_t *_u){
     k=2;
     do _u[k]=(k<<1)-1;
     while(++k<len);
     k=2;
     do _u[k]=(k<<1)-1;
     while(++k<len);
-    for(k=2;k<_n;k++)unext32(_u+2,_m,(k<<1)+1);
+    for(k=2;k<_n;k++)
+      unext32(_u+1,_m+1,1);
   }
   else{
     celt_uint32_t um1;
   }
   else{
     celt_uint32_t um1;