On Wed, Feb 15, 2012 at 11:22 PM, Ronald S. Bultje <[email protected]> wrote:
>
> From: "Ronald S. Bultje" <[email protected]>
>
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> CC: [email protected]
> ---
> libavcodec/flacdec.c | 9 +++++++++
> libavcodec/golomb.h | 2 +-
> 2 files changed, 10 insertions(+), 1 deletions(-)
>
> diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
> index 2b7f7ee..7454d8b 100644
> --- a/libavcodec/flacdec.c
> +++ b/libavcodec/flacdec.c
> @@ -422,7 +422,16 @@ static inline int decode_subframe(FLACContext *s, int
> channel)
> type = get_bits(&s->gb, 6);
>
> if (get_bits1(&s->gb)) {
> + int left = get_bits_left(&s->gb);
> wasted = 1;
> + if ( left < 0 ||
> + (left < s->curr_bps && !show_bits_long(&s->gb, left)) ||
> + !show_bits_long(&s->gb, s->curr_bps)) {
> + av_log(s->avctx, AV_LOG_ERROR,
> + "Invalid number of wasted bits > available bits (%d) -
> left=%d\n",
> + s->curr_bps, left);
> + return AVERROR_INVALIDDATA;
> + }
> while (!get_bits1(&s->gb))
> wasted++;
> s->curr_bps -= wasted;
> diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h
> index e19064c..f104c31 100644
> --- a/libavcodec/golomb.h
> +++ b/libavcodec/golomb.h
> @@ -301,7 +301,7 @@ static inline int get_ur_golomb_jpegls(GetBitContext *gb,
> int k, int limit, int
> return buf;
> }else{
} else {
> int i;
> - for(i=0; SHOW_UBITS(re, gb, 1) == 0; i++){
> + for(i=0; i < limit && SHOW_UBITS(re, gb, 1) == 0; i++){
for (i = 0; i < limit && SHOW_UBITS(re, gb, 1) == 0; i++) {
> LAST_SKIP_BITS(re, gb, 1);
> UPDATE_CACHE(re, gb);
> }
> --
> 1.7.7.4
>
> _______________________________________________
> libav-devel mailing list
> [email protected]
> https://lists.libav.org/mailman/listinfo/libav-devel
--
Thanks
Aneesh Dogra (lionaneesh)
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
