Merge f37e888b81 into f4a71b1337

stb_vorbis: Fix broken clamp in codebook_decode_deinterleave_repeat.
The clamp on the effective number of dimensions to decode in `codebook_decode_deinterleave_repeat` is trivially broken. libFuzzer managed to find some inputs that exploit this to increase the number of dimensions to be read past the end of the multiplicands array.
2023-12-30 13:30:15 +03:00 · 2023-06-17 00:42:36 -06:00
1 changed files with 1 additions and 1 deletions
--- a/stb_vorbis.c
+++ b/stb_vorbis.c
@ -1888,7 +1888,7 @@ static int codebook_decode_deinterleave_repeat(vorb *f, Codebook *c, float **out
      // buffer (len*ch), our current offset within it (p_inter*ch)+(c_inter),
      // and the length we'll be using (effective)
      if (c_inter + p_inter*ch + effective > len * ch) {
-         effective = len*ch - (p_inter*ch - c_inter);
+         effective = len*ch - (p_inter*ch + c_inter);
      }

   #ifdef STB_VORBIS_DIVIDES_IN_CODEBOOK