Google Git
Sign in
android / platform / external / tremolo / 5b6c2beac0a9bce02c38e774ebebbde3d288e5dc^! / .
commit5b6c2beac0a9bce02c38e774ebebbde3d288e5dc[log] [tgz]
authorShivaansh Agrawal <shivaansh.agrawal@ittiam.com>Thu Aug 06 22:48:43 2020 +0530
committerRay Essick <essick@google.com>Tue Aug 11 17:52:25 2020 +0000
tree726ca70715386ae7102480763d652c354b490cd1
parentdbe0e8752bc791f19fd6c47d9a88cc9f584ee32a [diff]
zero initialize allocated memory

initialize allocated memory if not written after allocation
to prevent invalid indices from being accessed

Bug: 160633884
Test: initialize memory such that only msb is 0,
eg. memset(s->dec_table, 0x7f, size),
run fuzzer with testvector

Change-Id: I0951bb4a898f5ecfe4d4d0c302ad11b3e62b434e

diff --git a/Tremolo/codebook.c b/Tremolo/codebook.c
index 8948cf3..84721e7 100644
--- a/Tremolo/codebook.c
+++ b/Tremolo/codebook.c

@@ -246,7 +246,7 @@
      * This probably wastes a bit of space, but it shouldn't
      * impact behavior or size too much.
      */
-    s->dec_table=_ogg_malloc((s->entries*2+1)*sizeof(*work));
+    s->dec_table=_ogg_calloc((s->entries*2+1), sizeof(*work));
     if (!s->dec_table) return 1;
     /* +1 (rather than -2) is to accommodate 0 and 1 sized books,
        which are specialcased to nodeb==4 */
@@ -264,7 +264,7 @@
   if(_make_words(lengthlist,s->entries,work,quantvals,s,opb,maptype)) goto error_out;
   if (s->used_entries > INT_MAX/(s->dec_leafw+1)) goto error_out;
   if (s->dec_nodeb && s->used_entries * (s->dec_leafw+1) > INT_MAX/s->dec_nodeb) goto error_out;
-  s->dec_table=_ogg_malloc((s->used_entries*(s->dec_leafw+1)-2)*
+  s->dec_table=_ogg_calloc((s->used_entries*(s->dec_leafw+1)-2),
                            s->dec_nodeb);
   if (!s->dec_table) goto error_out;
 
@@ -422,7 +422,7 @@
 
   /* first the basic parameters */
   s->dim=oggpack_read(opb,16);
-  s->dec_buf=_ogg_malloc(sizeof(ogg_int32_t)*s->dim);
+  s->dec_buf=_ogg_calloc(s->dim, sizeof(ogg_int32_t));
   if (s->dec_buf == NULL)
       goto _errout;
   s->entries=oggpack_read(opb,24);

diff --git a/Tremolo/framing.c b/Tremolo/framing.c
index ae6bb20..c9f1743 100644
--- a/Tremolo/framing.c
+++ b/Tremolo/framing.c

@@ -115,7 +115,7 @@
   }else{
     /* allocate a new buffer */
     ob=_ogg_malloc(sizeof(*ob));
-    ob->data=_ogg_malloc(bytes<16?16:bytes);
+    ob->data=_ogg_calloc(bytes<16?16:bytes, 1);
     ob->size=bytes;
   }
 

diff --git a/Tremolo/vorbisfile.c b/Tremolo/vorbisfile.c
index f896b43..46bada6 100644
--- a/Tremolo/vorbisfile.c
+++ b/Tremolo/vorbisfile.c

@@ -243,8 +243,8 @@
   if(searched>=end || ret<0){
     ogg_page_release(&og);
     vf->links=m+1;
-    vf->offsets=_ogg_malloc((vf->links+1)*sizeof(*vf->offsets));
-    vf->serialnos=_ogg_malloc(vf->links*sizeof(*vf->serialnos));
+    vf->offsets=_ogg_calloc((vf->links+1), sizeof(*vf->offsets));
+    vf->serialnos=_ogg_calloc(vf->links, sizeof(*vf->serialnos));
     vf->offsets[m+1]=searched;
   }else{
     ret=_bisect_forward_serialno(vf,next,vf->offset,