Quoting Vittorio Giovara (2014-11-04 22:28:02) > On Tue, Nov 4, 2014 at 10:42 AM, Luca Barbato <[email protected]> wrote: > > On 04/11/14 15:36, Vittorio Giovara wrote: > >> > >> From: Michael Niedermayer <[email protected]> > >> > >> CC: [email protected] > >> Bug-Id: CID 1194388 > >> --- > >> libavcodec/mjpegdec.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c > >> index d9a73d8..4728840 100644 > >> --- a/libavcodec/mjpegdec.c > >> +++ b/libavcodec/mjpegdec.c > >> @@ -964,7 +964,7 @@ static int > >> mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, > >> init_get_bits(&mb_bitmask_gb, mb_bitmask, s->mb_width * > >> s->mb_height); > >> > >> if (!Al) { > >> - s->coefs_finished[c] |= (1LL << (se + 1)) - (1LL << ss); > >> + s->coefs_finished[c] |= (2LL << se) - (1LL << ss); > >> last_scan = !~s->coefs_finished[c]; > >> } > >> > > > > how big is se ? > > se can be up to 63, because all other values are caught by a if before > (se < ss || se >= 64) > however (se + 1) makes it up to 64 again. This is bigger than the size > of the variable, leading to undefined behaviour.
How does the patch fix anything? 2 << 63 is just as undefined as 1 << 64 -- Anton Khirnov _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
