shithub: opus

Info  •  Files  •  Log  •  Branches

Fix (unexploitable) buffer overrun when _m=1 during the cwrs table init, as
reported by Bjoern Rasmussen.

--- a/libcelt/cwrs.c

+++ b/libcelt/cwrs.c

@@ -217,7 +217,8 @@

     k=2;

     do _u[k]=(k<<1)-1;

     while(++k<len);

-    for(k=2;k<_n;k++)unext32(_u+2,_m,(k<<1)+1);

+    for(k=2;k<_n;k++)

+      unext32(_u+1,_m+1,1);

   }

   else{

     celt_uint32_t um1;