mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-11-21 10:55:51 +02:00
vp56dec: ensure range coder won't read past the end of input buffer
Originally committed as revision 19348 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
parent
5be5daf1e5
commit
7576516a7e
@ -50,6 +50,7 @@ typedef struct {
|
||||
int high;
|
||||
int bits;
|
||||
const uint8_t *buffer;
|
||||
const uint8_t *end;
|
||||
unsigned long code_word;
|
||||
} VP56RangeCoder;
|
||||
|
||||
@ -185,6 +186,7 @@ static inline void vp56_init_range_decoder(VP56RangeCoder *c,
|
||||
c->high = 255;
|
||||
c->bits = 8;
|
||||
c->buffer = buf;
|
||||
c->end = buf + buf_size;
|
||||
c->code_word = bytestream_get_be16(&c->buffer);
|
||||
}
|
||||
|
||||
@ -205,7 +207,7 @@ static inline int vp56_rac_get_prob(VP56RangeCoder *c, uint8_t prob)
|
||||
while (c->high < 128) {
|
||||
c->high <<= 1;
|
||||
c->code_word <<= 1;
|
||||
if (--c->bits == 0) {
|
||||
if (--c->bits == 0 && c->buffer < c->end) {
|
||||
c->bits = 8;
|
||||
c->code_word |= *c->buffer++;
|
||||
}
|
||||
@ -228,7 +230,7 @@ static inline int vp56_rac_get(VP56RangeCoder *c)
|
||||
|
||||
/* normalize */
|
||||
c->code_word <<= 1;
|
||||
if (--c->bits == 0) {
|
||||
if (--c->bits == 0 && c->buffer < c->end) {
|
||||
c->bits = 8;
|
||||
c->code_word |= *c->buffer++;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user