PR #22428 opened by linkeLi0421 URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22428 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22428.patch
When get_bits_left() returns a negative value (bitstream reader already past the end of the buffer), the while condition while (get_bits_left(gb)) evaluates to true since any non-zero int is truthy. With the safe bitstream reader enabled, get_bits1() returns 0 past the buffer end, so the break never triggers, and leading_zeros increments toward INT_MAX. Change the condition to > 0. Signed-off-by: Linke <[email protected]> >From f6349b869e1218fe6e9cfb6c5d5de86188a4be61 Mon Sep 17 00:00:00 2001 From: Linke <[email protected]> Date: Fri, 6 Mar 2026 19:58:45 -0700 Subject: [PATCH] avformat/av1: fix uvlc loop past end of bitstream When get_bits_left() returns a negative value (bitstream reader already past the end of the buffer), the while condition while (get_bits_left(gb)) evaluates to true since any non-zero int is truthy. With the safe bitstream reader enabled, get_bits1() returns 0 past the buffer end, so the break never triggers and leading_zeros increments toward INT_MAX. Change the condition to > 0, consistent with skip_1stop_8data_bits() which already uses <= 0 for the same pattern. Signed-off-by: Linke <[email protected]> --- libavformat/av1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/av1.c b/libavformat/av1.c index 35c23dd0b0..d1d88268a0 100644 --- a/libavformat/av1.c +++ b/libavformat/av1.c @@ -126,7 +126,7 @@ static inline void uvlc(GetBitContext *gb) { int leading_zeros = 0; - while (get_bits_left(gb)) { + while (get_bits_left(gb) > 0) { if (get_bits1(gb)) break; leading_zeros++; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
