commit e7f17a11b32208d7d7ac95a8ab71195e7d1c49ae
author Karsten Tausche <karsten@fairphone.com> Thu Dec 09 17:59:16 2021 +0100
committer Karsten Tausche <karsten@fairphone.com> Thu Dec 09 17:59:16 2021 +0100
tree d17c58a07e71e0ff7a8d35721845ec04f3ab6cb4
parent f4d2fb5f0edc94dee7fa61fcc7f5f4985c08eb1d
parent 1bc72056c0d702f6122aafb7f083220e3d42d523

Merge tag 'android-security-11.0.0_r50' into int/11/fp3

Android security 11.0.0 release 50

* tag 'android-security-11.0.0_r50':
  handle cases where order isn't a multiple of dimension

Change-Id: Ib52f922bc6677bca36236bd2ae47fe390b1f7287

Tremolo/codebook.c

diff --git a/Tremolo/codebook.c b/Tremolo/codebook.c
index d62aefa..326a9bc 100644
--- a/Tremolo/codebook.c
+++ b/Tremolo/codebook.c
@@ -246,7 +246,7 @@
      * This probably wastes a bit of space, but it shouldn't
      * impact behavior or size too much.
      */
-    s->dec_table=_ogg_malloc((s->entries*2+1)*sizeof(*work));
+    s->dec_table=_ogg_calloc((s->entries*2+1), sizeof(*work));
     if (!s->dec_table) return 1;
     /* +1 (rather than -2) is to accommodate 0 and 1 sized books,
        which are specialcased to nodeb==4 */
@@ -264,7 +264,7 @@
   if(_make_words(lengthlist,s->entries,work,quantvals,s,opb,maptype)) goto error_out;
   if (s->used_entries > INT_MAX/(s->dec_leafw+1)) goto error_out;
   if (s->dec_nodeb && s->used_entries * (s->dec_leafw+1) > INT_MAX/s->dec_nodeb) goto error_out;
-  s->dec_table=_ogg_malloc((s->used_entries*(s->dec_leafw+1)-2)*
+  s->dec_table=_ogg_calloc((s->used_entries*(s->dec_leafw+1)-2),
                            s->dec_nodeb);
   if (!s->dec_table) goto error_out;
 
@@ -422,7 +422,7 @@
 
   /* first the basic parameters */
   s->dim=oggpack_read(opb,16);
-  s->dec_buf=_ogg_malloc(sizeof(ogg_int32_t)*s->dim);
+  s->dec_buf=_ogg_calloc(s->dim, sizeof(ogg_int32_t));
   if (s->dec_buf == NULL)
       goto _errout;
   s->entries=oggpack_read(opb,24);
@@ -476,6 +476,7 @@
       for(i=0;i<s->entries;){
         long num=oggpack_read(opb,_ilog(s->entries-i));
         if(num<0)goto _eofout;
+        if(length>32) goto _errout;
         for(j=0;j<num && i<s->entries;j++,i++)
           lengthlist[i]=(char)length;
         s->dec_maxlength=length;

Tremolo/floor1.c

diff --git a/Tremolo/floor1.c b/Tremolo/floor1.c
index 7811aba..1a920a7 100644
--- a/Tremolo/floor1.c
+++ b/Tremolo/floor1.c
@@ -140,6 +140,7 @@
   /* read the post list */
   info->mult=oggpack_read(opb,2)+1;     /* only 1,2,3,4 legal now */
   rangebits=oggpack_read(opb,4);
+  if(rangebits < 0) goto err_out;
 
   for(j=0,k=0;j<info->partitions;j++)
     count+=info->klass[info->partitionclass[j]].class_dim;

Tremolo/framing.c

diff --git a/Tremolo/framing.c b/Tremolo/framing.c
index ae6bb20..c9f1743 100644
--- a/Tremolo/framing.c
+++ b/Tremolo/framing.c
@@ -115,7 +115,7 @@
   }else{
     /* allocate a new buffer */
     ob=_ogg_malloc(sizeof(*ob));
-    ob->data=_ogg_malloc(bytes<16?16:bytes);
+    ob->data=_ogg_calloc(bytes<16?16:bytes, 1);
     ob->size=bytes;
   }
 

Tremolo/vorbisfile.c

diff --git a/Tremolo/vorbisfile.c b/Tremolo/vorbisfile.c
index f896b43..46bada6 100644
--- a/Tremolo/vorbisfile.c
+++ b/Tremolo/vorbisfile.c
@@ -243,8 +243,8 @@
   if(searched>=end || ret<0){
     ogg_page_release(&og);
     vf->links=m+1;
-    vf->offsets=_ogg_malloc((vf->links+1)*sizeof(*vf->offsets));
-    vf->serialnos=_ogg_malloc(vf->links*sizeof(*vf->serialnos));
+    vf->offsets=_ogg_calloc((vf->links+1), sizeof(*vf->offsets));
+    vf->serialnos=_ogg_calloc(vf->links, sizeof(*vf->serialnos));
     vf->offsets[m+1]=searched;
   }else{
     ret=_bisect_forward_serialno(vf,next,vf->offset,