diracdec: Correct the bytestream end pointer.

This fixes some arith decoder overreads and a potential infinite loop. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 0f13cc732b3752828890b8dff507615cfd454336) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-03-06 19:13:55 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-03-16 16:00:07 +0100
commit: 7f5bd6c72be0e75f4c2c0b4a7878e32ba29dca93 (patch)
tree: 87f0d5915671aa99bd070f5638a3cd254682a364
parent: 0be85fd80f4dba6d4b2d14590ab8921f6707a289 (diff)
download: ffmpeg-7f5bd6c72be0e75f4c2c0b4a7878e32ba29dca93.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 049f7592ca..7fa7137cac 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -625,7 +625,7 @@ static void decode_component(DiracContext *s, int comp)
                 b->quant = svq3_get_ue_golomb(&s->gb);
                 align_get_bits(&s->gb);
                 b->coeff_data = s->gb.buffer + get_bits_count(&s->gb)/8;
-                b->length = FFMIN(b->length, get_bits_left(&s->gb)/8);
+                b->length = FFMIN(b->length, FFMAX(get_bits_left(&s->gb)/8, 0));
                 skip_bits_long(&s->gb, b->length*8);
             }
         }
author	Michael Niedermayer <michaelni@gmx.at>	2012-03-06 19:13:55 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-03-16 16:00:07 +0100
commit	7f5bd6c72be0e75f4c2c0b4a7878e32ba29dca93 (patch)
tree	87f0d5915671aa99bd070f5638a3cd254682a364
parent	0be85fd80f4dba6d4b2d14590ab8921f6707a289 (diff)
download	ffmpeg-7f5bd6c72be0e75f4c2c0b4a7878e32ba29dca93.tar.gz