[FFmpeg-cvslog] Merge commit 'b2788fe9347c02b1355574f3d28d60bfe1250ea7'

James Almer git at videolan.org
Wed Oct 4 02:30:21 EEST 2017


ffmpeg | branch: master | James Almer <jamrial at gmail.com> | Tue Oct  3 20:28:51 2017 -0300| [cb222d73225adae76893f58c8283b32a9943094f] | committer: James Almer

Merge commit 'b2788fe9347c02b1355574f3d28d60bfe1250ea7'

* commit 'b2788fe9347c02b1355574f3d28d60bfe1250ea7':
  svq3: fix the slice size check

Merged-by: James Almer <jamrial at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cb222d73225adae76893f58c8283b32a9943094f
---

 libavcodec/svq3.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c
index 5cb5bd45b7..a937b2f951 100644
--- a/libavcodec/svq3.c
+++ b/libavcodec/svq3.c
@@ -1036,17 +1036,16 @@ static int svq3_decode_slice_header(AVCodecContext *avctx)
         slice_bits   = slice_length * 8;
         slice_bytes  = slice_length + length - 1;
 
-        if (8LL*slice_bytes > get_bits_left(&s->gb)) {
-            av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n");
-            return -1;
-        }
-
         skip_bits(&s->gb, 8);
 
         av_fast_malloc(&s->slice_buf, &s->slice_size, slice_bytes + AV_INPUT_BUFFER_PADDING_SIZE);
         if (!s->slice_buf)
             return AVERROR(ENOMEM);
 
+        if (slice_bytes * 8LL > get_bits_left(&s->gb)) {
+            av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n");
+            return AVERROR_INVALIDDATA;
+        }
         memcpy(s->slice_buf, s->gb.buffer + s->gb.index / 8, slice_bytes);
 
         init_get_bits(&s->gb_slice, s->slice_buf, slice_bits);


======================================================================

diff --cc libavcodec/svq3.c
index 5cb5bd45b7,667d3906a1..a937b2f951
--- a/libavcodec/svq3.c
+++ b/libavcodec/svq3.c
@@@ -1036,32 -1031,30 +1036,31 @@@ static int svq3_decode_slice_header(AVC
          slice_bits   = slice_length * 8;
          slice_bytes  = slice_length + length - 1;
  
-         if (8LL*slice_bytes > get_bits_left(&s->gb)) {
-             av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n");
-             return -1;
-         }
- 
 -        bitstream_skip(&s->bc, 8);
 +        skip_bits(&s->gb, 8);
  
          av_fast_malloc(&s->slice_buf, &s->slice_size, slice_bytes + AV_INPUT_BUFFER_PADDING_SIZE);
          if (!s->slice_buf)
              return AVERROR(ENOMEM);
  
 -        if (slice_bytes * 8 > bitstream_bits_left(&s->bc)) {
++        if (slice_bytes * 8LL > get_bits_left(&s->gb)) {
+             av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n");
+             return AVERROR_INVALIDDATA;
+         }
 -        memcpy(s->slice_buf, s->bc.buffer + bitstream_tell(&s->bc) / 8, slice_bytes);
 +        memcpy(s->slice_buf, s->gb.buffer + s->gb.index / 8, slice_bytes);
 +
 +        init_get_bits(&s->gb_slice, s->slice_buf, slice_bits);
  
          if (s->watermark_key) {
 -            uint32_t header = AV_RL32(&s->bc_slice.buffer[1]);
 -            AV_WL32(&s->bc_slice.buffer[1], header ^ s->watermark_key);
 +            uint32_t header = AV_RL32(&s->gb_slice.buffer[1]);
 +            AV_WL32(&s->gb_slice.buffer[1], header ^ s->watermark_key);
          }
          if (length > 0) {
 -            memcpy(s->slice_buf, &s->slice_buf[slice_length], length - 1);
 +            memmove(s->slice_buf, &s->slice_buf[slice_length], length - 1);
          }
 -        bitstream_skip(&s->bc, slice_bytes * 8);
 -        bitstream_init(&s->bc_slice, s->slice_buf, slice_bits);
 +        skip_bits_long(&s->gb, slice_bytes * 8);
      }
  
 -    if ((slice_id = get_interleaved_ue_golomb(&s->bc_slice)) >= 3) {
 +    if ((slice_id = get_interleaved_ue_golomb(&s->gb_slice)) >= 3) {
          av_log(s->avctx, AV_LOG_ERROR, "illegal slice type %u \n", slice_id);
          return -1;
      }



More information about the ffmpeg-cvslog mailing list