aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAurelien Jacobs <aurel@gnuage.org>2009-07-05 15:23:42 +0000
committerAurelien Jacobs <aurel@gnuage.org>2009-07-05 15:23:42 +0000
commit7576516a7edfa5227cc0d82950afc027b819cdb5 (patch)
treed3574d3ace49c3cb11e0b48571b0ca3e8f7fa40a
parent5be5daf1e5929192650dc17eab02c26447df13d1 (diff)
downloadffmpeg-7576516a7edfa5227cc0d82950afc027b819cdb5.tar.gz
vp56dec: ensure range coder won't read past the end of input buffer
Originally committed as revision 19348 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r--libavcodec/vp56.h6
1 files changed, 4 insertions, 2 deletions
diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h
index da01ad73cc..6f24c55638 100644
--- a/libavcodec/vp56.h
+++ b/libavcodec/vp56.h
@@ -50,6 +50,7 @@ typedef struct {
int high;
int bits;
const uint8_t *buffer;
+ const uint8_t *end;
unsigned long code_word;
} VP56RangeCoder;
@@ -185,6 +186,7 @@ static inline void vp56_init_range_decoder(VP56RangeCoder *c,
c->high = 255;
c->bits = 8;
c->buffer = buf;
+ c->end = buf + buf_size;
c->code_word = bytestream_get_be16(&c->buffer);
}
@@ -205,7 +207,7 @@ static inline int vp56_rac_get_prob(VP56RangeCoder *c, uint8_t prob)
while (c->high < 128) {
c->high <<= 1;
c->code_word <<= 1;
- if (--c->bits == 0) {
+ if (--c->bits == 0 && c->buffer < c->end) {
c->bits = 8;
c->code_word |= *c->buffer++;
}
@@ -228,7 +230,7 @@ static inline int vp56_rac_get(VP56RangeCoder *c)
/* normalize */
c->code_word <<= 1;
- if (--c->bits == 0) {
+ if (--c->bits == 0 && c->buffer < c->end) {
c->bits = 8;
c->code_word |= *c->buffer++;
}