ffmpeg | branch: master | James Almer <[email protected]> | Tue Oct 3 20:28:51 2017 -0300| [cb222d73225adae76893f58c8283b32a9943094f] | committer: James Almer
Merge commit 'b2788fe9347c02b1355574f3d28d60bfe1250ea7' * commit 'b2788fe9347c02b1355574f3d28d60bfe1250ea7': svq3: fix the slice size check Merged-by: James Almer <[email protected]> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cb222d73225adae76893f58c8283b32a9943094f --- libavcodec/svq3.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 5cb5bd45b7..a937b2f951 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1036,17 +1036,16 @@ static int svq3_decode_slice_header(AVCodecContext *avctx) slice_bits = slice_length * 8; slice_bytes = slice_length + length - 1; - if (8LL*slice_bytes > get_bits_left(&s->gb)) { - av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); - return -1; - } - skip_bits(&s->gb, 8); av_fast_malloc(&s->slice_buf, &s->slice_size, slice_bytes + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->slice_buf) return AVERROR(ENOMEM); + if (slice_bytes * 8LL > get_bits_left(&s->gb)) { + av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); + return AVERROR_INVALIDDATA; + } memcpy(s->slice_buf, s->gb.buffer + s->gb.index / 8, slice_bytes); init_get_bits(&s->gb_slice, s->slice_buf, slice_bits); ====================================================================== diff --cc libavcodec/svq3.c index 5cb5bd45b7,667d3906a1..a937b2f951 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@@ -1036,32 -1031,30 +1036,31 @@@ static int svq3_decode_slice_header(AVC slice_bits = slice_length * 8; slice_bytes = slice_length + length - 1; - if (8LL*slice_bytes > get_bits_left(&s->gb)) { - av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); - return -1; - } - - bitstream_skip(&s->bc, 8); + skip_bits(&s->gb, 8); av_fast_malloc(&s->slice_buf, &s->slice_size, slice_bytes + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->slice_buf) return AVERROR(ENOMEM); - if (slice_bytes * 8 > bitstream_bits_left(&s->bc)) { ++ if (slice_bytes * 8LL > get_bits_left(&s->gb)) { + av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); + return AVERROR_INVALIDDATA; + } - memcpy(s->slice_buf, s->bc.buffer + bitstream_tell(&s->bc) / 8, slice_bytes); + memcpy(s->slice_buf, s->gb.buffer + s->gb.index / 8, slice_bytes); + + init_get_bits(&s->gb_slice, s->slice_buf, slice_bits); if (s->watermark_key) { - uint32_t header = AV_RL32(&s->bc_slice.buffer[1]); - AV_WL32(&s->bc_slice.buffer[1], header ^ s->watermark_key); + uint32_t header = AV_RL32(&s->gb_slice.buffer[1]); + AV_WL32(&s->gb_slice.buffer[1], header ^ s->watermark_key); } if (length > 0) { - memcpy(s->slice_buf, &s->slice_buf[slice_length], length - 1); + memmove(s->slice_buf, &s->slice_buf[slice_length], length - 1); } - bitstream_skip(&s->bc, slice_bytes * 8); - bitstream_init(&s->bc_slice, s->slice_buf, slice_bits); + skip_bits_long(&s->gb, slice_bytes * 8); } - if ((slice_id = get_interleaved_ue_golomb(&s->bc_slice)) >= 3) { + if ((slice_id = get_interleaved_ue_golomb(&s->gb_slice)) >= 3) { av_log(s->avctx, AV_LOG_ERROR, "illegal slice type %u \n", slice_id); return -1; } _______________________________________________ ffmpeg-cvslog mailing list [email protected] http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
