Merge tag 'android-security-11.0.0_r50' into int/11/fp3
Android security 11.0.0 release 50
* tag 'android-security-11.0.0_r50':
handle cases where order isn't a multiple of dimension
Change-Id: Ib52f922bc6677bca36236bd2ae47fe390b1f7287
diff --git a/Tremolo/codebook.c b/Tremolo/codebook.c
index d62aefa..326a9bc 100644
--- a/Tremolo/codebook.c
+++ b/Tremolo/codebook.c
@@ -246,7 +246,7 @@
* This probably wastes a bit of space, but it shouldn't
* impact behavior or size too much.
*/
- s->dec_table=_ogg_malloc((s->entries*2+1)*sizeof(*work));
+ s->dec_table=_ogg_calloc((s->entries*2+1), sizeof(*work));
if (!s->dec_table) return 1;
/* +1 (rather than -2) is to accommodate 0 and 1 sized books,
which are specialcased to nodeb==4 */
@@ -264,7 +264,7 @@
if(_make_words(lengthlist,s->entries,work,quantvals,s,opb,maptype)) goto error_out;
if (s->used_entries > INT_MAX/(s->dec_leafw+1)) goto error_out;
if (s->dec_nodeb && s->used_entries * (s->dec_leafw+1) > INT_MAX/s->dec_nodeb) goto error_out;
- s->dec_table=_ogg_malloc((s->used_entries*(s->dec_leafw+1)-2)*
+ s->dec_table=_ogg_calloc((s->used_entries*(s->dec_leafw+1)-2),
s->dec_nodeb);
if (!s->dec_table) goto error_out;
@@ -422,7 +422,7 @@
/* first the basic parameters */
s->dim=oggpack_read(opb,16);
- s->dec_buf=_ogg_malloc(sizeof(ogg_int32_t)*s->dim);
+ s->dec_buf=_ogg_calloc(s->dim, sizeof(ogg_int32_t));
if (s->dec_buf == NULL)
goto _errout;
s->entries=oggpack_read(opb,24);
@@ -476,6 +476,7 @@
for(i=0;i<s->entries;){
long num=oggpack_read(opb,_ilog(s->entries-i));
if(num<0)goto _eofout;
+ if(length>32) goto _errout;
for(j=0;j<num && i<s->entries;j++,i++)
lengthlist[i]=(char)length;
s->dec_maxlength=length;
diff --git a/Tremolo/floor1.c b/Tremolo/floor1.c
index 7811aba..1a920a7 100644
--- a/Tremolo/floor1.c
+++ b/Tremolo/floor1.c
@@ -140,6 +140,7 @@
/* read the post list */
info->mult=oggpack_read(opb,2)+1; /* only 1,2,3,4 legal now */
rangebits=oggpack_read(opb,4);
+ if(rangebits < 0) goto err_out;
for(j=0,k=0;j<info->partitions;j++)
count+=info->klass[info->partitionclass[j]].class_dim;
diff --git a/Tremolo/framing.c b/Tremolo/framing.c
index ae6bb20..c9f1743 100644
--- a/Tremolo/framing.c
+++ b/Tremolo/framing.c
@@ -115,7 +115,7 @@
}else{
/* allocate a new buffer */
ob=_ogg_malloc(sizeof(*ob));
- ob->data=_ogg_malloc(bytes<16?16:bytes);
+ ob->data=_ogg_calloc(bytes<16?16:bytes, 1);
ob->size=bytes;
}
diff --git a/Tremolo/vorbisfile.c b/Tremolo/vorbisfile.c
index f896b43..46bada6 100644
--- a/Tremolo/vorbisfile.c
+++ b/Tremolo/vorbisfile.c
@@ -243,8 +243,8 @@
if(searched>=end || ret<0){
ogg_page_release(&og);
vf->links=m+1;
- vf->offsets=_ogg_malloc((vf->links+1)*sizeof(*vf->offsets));
- vf->serialnos=_ogg_malloc(vf->links*sizeof(*vf->serialnos));
+ vf->offsets=_ogg_calloc((vf->links+1), sizeof(*vf->offsets));
+ vf->serialnos=_ogg_calloc(vf->links, sizeof(*vf->serialnos));
vf->offsets[m+1]=searched;
}else{
ret=_bisect_forward_serialno(vf,next,vf->offset,