[FFmpeg-cvslog] avcodec/vp3: Fix end of bitstream check in unpack_superblocks()
Michael Niedermayer
git at videolan.org
Sat Jun 2 22:48:29 EEST 2018
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Wed May 30 22:51:33 2018 +0200| [5ee203076fa1b1b5da32f525f2b6df3bd5e93b09] | committer: Michael Niedermayer
avcodec/vp3: Fix end of bitstream check in unpack_superblocks()
Fixes: regression
Found-by: Frank Liberato <liberato at google.com>
Tested-by: Frank Liberato <liberato at google.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5ee203076fa1b1b5da32f525f2b6df3bd5e93b09
---
libavcodec/vp3.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index 2050090670..0e6da89abb 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -451,6 +451,7 @@ static int unpack_superblocks(Vp3DecodeContext *s, GetBitContext *gb)
int i, j;
int current_fragment;
int plane;
+ int plane0_num_coded_frags = 0;
if (s->keyframe) {
memset(s->superblock_coding, SB_FULLY_CODED, s->superblock_count);
@@ -543,8 +544,8 @@ static int unpack_superblocks(Vp3DecodeContext *s, GetBitContext *gb)
: s->y_superblock_count);
int num_coded_frags = 0;
- for (i = sb_start; i < sb_end; i++) {
- if (get_bits_left(gb) < ((s->total_num_coded_frags + num_coded_frags) >> 2)) {
+ for (i = sb_start; i < sb_end && get_bits_left(gb) > 0; i++) {
+ if (s->keyframe == 0 && get_bits_left(gb) < plane0_num_coded_frags >> 2) {
return AVERROR_INVALIDDATA;
}
/* iterate through all 16 fragments in a superblock */
@@ -579,6 +580,8 @@ static int unpack_superblocks(Vp3DecodeContext *s, GetBitContext *gb)
}
}
}
+ if (!plane)
+ plane0_num_coded_frags = num_coded_frags;
s->total_num_coded_frags += num_coded_frags;
for (i = 0; i < 64; i++)
s->num_coded_frags[plane][i] = num_coded_frags;
More information about the ffmpeg-cvslog
mailing list