Hi, On Wed, May 11, 2011 at 3:00 PM, Justin Ruggles <[email protected]> wrote: > On 05/11/2011 02:49 PM, Ronald S. Bultje wrote: >> On Wed, May 11, 2011 at 2:46 PM, Justin Ruggles >> <[email protected]> wrote: >>> On 05/10/2011 11:29 AM, Ronald S. Bultje wrote: >>>> --- >>>> libavcodec/mdec.c | 3 ++- >>>> 1 files changed, 2 insertions(+), 1 deletions(-) >>>> >>>> diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c >>>> index 545b919..9b6e6b6 100644 >>>> --- a/libavcodec/mdec.c >>>> +++ b/libavcodec/mdec.c >>>> @@ -125,7 +125,8 @@ static inline int decode_mb(MDECContext *a, DCTELEM >>>> block[6][64]){ >>>> a->dsp.clear_blocks(block[0]); >>>> >>>> for(i=0; i<6; i++){ >>>> - if( mdec_decode_block_intra(a, block[ block_index[i] ], >>>> block_index[i]) < 0) >>>> + if( mdec_decode_block_intra(a, block[ block_index[i] ], >>>> block_index[i]) < 0 || >>>> + get_bits_left(&a->gb) < 0) >>>> return -1; >>>> } >>>> return 0; >>> >>> If get_bits_left() < 0 doesn't that mean that it has already overread? >>> How much can it have possibly overread by at this point, and is that <= >>> FF_INPUT_BUFFER_PADDING_SIZE? >> >> When I had a look at it, it seemed to always be < >> FF_INPUT_BUFFER_PADDING_SIZE, yes. > > probably ok then. was that a fuzzed file or just some random sample?
It's the fate sample... Ronald _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
