diff options
author | Aurelien Jacobs <aurel@gnuage.org> | 2009-07-05 15:23:42 +0000 |
---|---|---|
committer | Aurelien Jacobs <aurel@gnuage.org> | 2009-07-05 15:23:42 +0000 |
commit | 7576516a7edfa5227cc0d82950afc027b819cdb5 (patch) | |
tree | d3574d3ace49c3cb11e0b48571b0ca3e8f7fa40a /libavcodec | |
parent | 5be5daf1e5929192650dc17eab02c26447df13d1 (diff) | |
download | ffmpeg-7576516a7edfa5227cc0d82950afc027b819cdb5.tar.gz |
vp56dec: ensure range coder won't read past the end of input buffer
Originally committed as revision 19348 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/vp56.h | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index da01ad73cc..6f24c55638 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -50,6 +50,7 @@ typedef struct { int high; int bits; const uint8_t *buffer; + const uint8_t *end; unsigned long code_word; } VP56RangeCoder; @@ -185,6 +186,7 @@ static inline void vp56_init_range_decoder(VP56RangeCoder *c, c->high = 255; c->bits = 8; c->buffer = buf; + c->end = buf + buf_size; c->code_word = bytestream_get_be16(&c->buffer); } @@ -205,7 +207,7 @@ static inline int vp56_rac_get_prob(VP56RangeCoder *c, uint8_t prob) while (c->high < 128) { c->high <<= 1; c->code_word <<= 1; - if (--c->bits == 0) { + if (--c->bits == 0 && c->buffer < c->end) { c->bits = 8; c->code_word |= *c->buffer++; } @@ -228,7 +230,7 @@ static inline int vp56_rac_get(VP56RangeCoder *c) /* normalize */ c->code_word <<= 1; - if (--c->bits == 0) { + if (--c->bits == 0 && c->buffer < c->end) { c->bits = 8; c->code_word |= *c->buffer++; } |