Re: [libav-devel] [PATCH 1/2] mdec.c: fix overread.

Justin Ruggles Wed, 11 May 2011 11:45:58 -0700

On 05/10/2011 11:29 AM, Ronald S. Bultje wrote:

> ---
>  libavcodec/mdec.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c
> index 545b919..9b6e6b6 100644
> --- a/libavcodec/mdec.c
> +++ b/libavcodec/mdec.c
> @@ -125,7 +125,8 @@ static inline int decode_mb(MDECContext *a, DCTELEM 
> block[6][64]){
>      a->dsp.clear_blocks(block[0]);
>  
>      for(i=0; i<6; i++){
> -        if( mdec_decode_block_intra(a, block[ block_index[i] ], 
> block_index[i]) < 0)
> +        if( mdec_decode_block_intra(a, block[ block_index[i] ], 
> block_index[i]) < 0 ||
> +            get_bits_left(&a->gb) < 0)
>              return -1;
>      }
>      return 0;



If get_bits_left() < 0 doesn't that mean that it has already overread?
How much can it have possibly overread by at this point, and is that <=
FF_INPUT_BUFFER_PADDING_SIZE?

-Justin
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Re: [libav-devel] [PATCH 1/2] mdec.c: fix overread.

Reply via email to