diff options
author | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2021-03-25 14:17:10 +0100 |
---|---|---|
committer | Andreas Rheinhardt <andreas.rheinhardt@outlook.com> | 2021-03-30 12:36:32 +0200 |
commit | e7cbbd90267de2a0ad1b5fa8ccb29ab7bf8a26b8 (patch) | |
tree | aa9e350777f45950c69ad6aa1a01cd7a0d572312 | |
parent | c81b8e04aa0952a7aec1e08940f29ae501fb6bfd (diff) | |
download | ffmpeg-e7cbbd90267de2a0ad1b5fa8ccb29ab7bf8a26b8.tar.gz |
avcodec/put_bits: Don't set size_in_bits, fix overflow
A PutBitContext has a field called size_in_bits which is set to the
context's bitsize init_put_bits(); but it isn't used at all (the PutBits
API uses pointers directly and not bit indexes), so remove it (due to
ABI concerns the actual element is only removed at the next bump).
Furthermore, the multiplication inherent in setting this field can lead
to undefined integer overflows. This is particularly true for FFV1,
which uses a very big worst-case buffer (37*4*width*height; even
ordinary 1080p triggers an overflow). Ticket #8350 is about this
overflow which this commit fixes.
This means that the effective range of the PutBits API is no longer
restricted by the /8 as long as one isn't using put_bits_(count|left).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-rw-r--r-- | libavcodec/put_bits.h | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index e8bc86a82c..15c2650724 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -52,7 +52,9 @@ typedef struct PutBitContext { BitBuf bit_buf; int bit_left; uint8_t *buf, *buf_ptr, *buf_end; +#if LIBAVCODEC_VERSION_MAJOR < 59 int size_in_bits; +#endif } PutBitContext; /** @@ -69,7 +71,6 @@ static inline void init_put_bits(PutBitContext *s, uint8_t *buffer, buffer = NULL; } - s->size_in_bits = 8 * buffer_size; s->buf = buffer; s->buf_end = s->buf + buffer_size; s->buf_ptr = s->buf; @@ -120,7 +121,6 @@ static inline void rebase_put_bits(PutBitContext *s, uint8_t *buffer, s->buf_end = buffer + buffer_size; s->buf_ptr = buffer + (s->buf_ptr - s->buf); s->buf = buffer; - s->size_in_bits = 8 * buffer_size; } /** @@ -414,7 +414,6 @@ static inline void set_put_bits_buffer_size(PutBitContext *s, int size) { av_assert0(size <= INT_MAX/8 - BUF_BITS); s->buf_end = s->buf + size; - s->size_in_bits = 8*size; } /** |