#define DECODE(var,f,c) \
DECODE_RAW(var,f,c) \
if (c->sparse) var = c->sorted_values[var]; // [1] OOB
As it can be seen in the definition of DECODE_RAW negative var is a valid value [2] and [3] (codebook_decode_scalar_raw may also return a negative value).
#define DECODE_RAW(var, f,c) \
if (f->valid_bits < STB_VORBIS_FAST_HUFFMAN_LENGTH) \
prep_huffman(f); \
var = f->acc & FAST_HUFFMAN_TABLE_MASK; \
var = c->fast_huffman[var]; \
if (var >= 0) { \
int n = c->codeword_lengths[var]; \
f->acc >>= n; \
f->valid_bits -= n; \
if (f->valid_bits < 0) { f->valid_bits = 0; var = -1; } \ // [2]
} else { \
var = codebook_decode_scalar_raw(f,c); \ // [3]
}
Impact
This issue may be used to leak internal memory allocation information.
A crafted file may trigger out of bounds read in
DECODE
macro whenvar
is negative [1]As it can be seen in the definition of
DECODE_RAW
negativevar
is a valid value [2] and [3] (codebook_decode_scalar_raw
may also return a negative value).Impact
This issue may be used to leak internal memory allocation information.
Resources
To reproduce the issue: