On 05/11/2011 02:49 PM, Ronald S. Bultje wrote: > Hi, > > On Wed, May 11, 2011 at 2:46 PM, Justin Ruggles > <[email protected]> wrote: >> On 05/10/2011 11:29 AM, Ronald S. Bultje wrote: >>> --- >>> libavcodec/mdec.c | 3 ++- >>> 1 files changed, 2 insertions(+), 1 deletions(-) >>> >>> diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c >>> index 545b919..9b6e6b6 100644 >>> --- a/libavcodec/mdec.c >>> +++ b/libavcodec/mdec.c >>> @@ -125,7 +125,8 @@ static inline int decode_mb(MDECContext *a, DCTELEM >>> block[6][64]){ >>> a->dsp.clear_blocks(block[0]); >>> >>> for(i=0; i<6; i++){ >>> - if( mdec_decode_block_intra(a, block[ block_index[i] ], >>> block_index[i]) < 0) >>> + if( mdec_decode_block_intra(a, block[ block_index[i] ], >>> block_index[i]) < 0 || >>> + get_bits_left(&a->gb) < 0) >>> return -1; >>> } >>> return 0; >> >> If get_bits_left() < 0 doesn't that mean that it has already overread? >> How much can it have possibly overread by at this point, and is that <= >> FF_INPUT_BUFFER_PADDING_SIZE? > > When I had a look at it, it seemed to always be < > FF_INPUT_BUFFER_PADDING_SIZE, yes.
probably ok then. was that a fuzzed file or just some random sample? -Justin _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
