CVE-2019-13217: heap buffer overflow in start_decoder()
CVE-2019-13218: stack buffer overflow in compute_codewords()
CVE-2019-13219: uninitialized memory in vorbis_decode_packet_rest()
CVE-2019-13220: out-of-range read in draw_line()
CVE-2019-13221: issue with large 1D codebooks in lookup1_values()
CVE-2019-13222: unchecked NULL returned by get_window()
CVE-2019-13223: division by zero in predict_point()
When calling stbtt_PackFontRanges, multiple missing glyphs in the range
of codepoints will create multiple copies of the font's missing glyph to
be added to the pixel buffer. Instead, the first codepoint that maps to the missing glyph will add it to the pixel buffer, and all subsequent glyphs will simply copy the stbtt_packedchar data to reference the same region of the buffer.
This does NOT prevent duplication in multiple calls to stbtt_PackFontRange(s) - that would require modifying the packing context, which could be nice but is a bit more intrusive.
- arena and strdup string hashes were badly broken due to not setting up default slot correctly
- tweak use of seed in 4-byte and 8-byte hash functions to hopefully be slightly stronger
- a few internal #ifdefs for performance tuning
I must've missed it when I did this for the other image loaders.
Either way, combined with the previous checkin, this should fix
issue #614 properly.
Fixes issue #614.
1. Check not just g->out allocation for failure.
2. If an image descriptor specified a 0-width image, this could be
used to produce an out-of-bounds write.
3. Fix memory leak in case an error occurs during decoding.
Fixes issue #656.
