Hi, On Wed, May 11, 2011 at 2:46 PM, Justin Ruggles <[email protected]> wrote: > On 05/10/2011 11:29 AM, Ronald S. Bultje wrote: >> --- >> libavcodec/mdec.c | 3 ++- >> 1 files changed, 2 insertions(+), 1 deletions(-) >> >> diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c >> index 545b919..9b6e6b6 100644 >> --- a/libavcodec/mdec.c >> +++ b/libavcodec/mdec.c >> @@ -125,7 +125,8 @@ static inline int decode_mb(MDECContext *a, DCTELEM >> block[6][64]){ >> a->dsp.clear_blocks(block[0]); >> >> for(i=0; i<6; i++){ >> - if( mdec_decode_block_intra(a, block[ block_index[i] ], >> block_index[i]) < 0) >> + if( mdec_decode_block_intra(a, block[ block_index[i] ], >> block_index[i]) < 0 || >> + get_bits_left(&a->gb) < 0) >> return -1; >> } >> return 0; > > If get_bits_left() < 0 doesn't that mean that it has already overread? > How much can it have possibly overread by at this point, and is that <= > FF_INPUT_BUFFER_PADDING_SIZE?
When I had a look at it, it seemed to always be < FF_INPUT_BUFFER_PADDING_SIZE, yes. Ronald _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
