Re: [libav-devel] [PATCH] flac: fix infinite loops on all-zero input or end-of-stream.

Thu, 16 Feb 2012 16:46:47 -0800 

On 02/16/2012 07:20 PM, Ronald S. Bultje wrote:

> From: "Ronald S. Bultje" <[email protected]>
> 
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> CC: [email protected]
> ---
>  libavcodec/flacdec.c |    9 +++++++++
>  libavcodec/golomb.h  |    2 +-
>  2 files changed, 10 insertions(+), 1 deletions(-)
> 
> diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
> index 2b7f7ee..7454d8b 100644
> --- a/libavcodec/flacdec.c
> +++ b/libavcodec/flacdec.c
> @@ -422,7 +422,16 @@ static inline int decode_subframe(FLACContext *s, int 
> channel)
>      type = get_bits(&s->gb, 6);
>  
>      if (get_bits1(&s->gb)) {
> +        int left = get_bits_left(&s->gb);
>          wasted = 1;
> +        if ( left < 0 ||
> +            (left < s->curr_bps && !show_bits_long(&s->gb, left)) ||
> +                                   !show_bits_long(&s->gb, s->curr_bps)) {
> +            av_log(s->avctx, AV_LOG_ERROR,
> +                   "Invalid number of wasted bits > available bits (%d) - 
> left=%d\n",
> +                   s->curr_bps, left);
> +            return AVERROR_INVALIDDATA;
> +        }
>          while (!get_bits1(&s->gb))
>              wasted++;
>          s->curr_bps -= wasted;
> diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h
> index e19064c..5f720c0 100644
> --- a/libavcodec/golomb.h
> +++ b/libavcodec/golomb.h
> @@ -301,7 +301,7 @@ static inline int get_ur_golomb_jpegls(GetBitContext *gb, 
> int k, int limit, int
>          return buf;
>      }else{
>          int i;
> -        for(i=0; SHOW_UBITS(re, gb, 1) == 0; i++){
> +        for (i = 0; i < limit && SHOW_UBITS(re, gb, 1) == 0; i++) {
>              LAST_SKIP_BITS(re, gb, 1);
>              UPDATE_CACHE(re, gb);
>          }


lgtm.

-Justin
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to