Currently it incorrectly compares bits with bytes. Also, move the check right before where it's relevant, so that the correct number of remaining bits is used.
CC: libav-sta...@libav.org --- libavcodec/svq3.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 8bbd331..f8143a2 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1030,17 +1030,16 @@ static int svq3_decode_slice_header(AVCodecContext *avctx) slice_bits = slice_length * 8; slice_bytes = slice_length + length - 1; - if (slice_bytes > get_bits_left(&s->gb)) { - av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); - return -1; - } - skip_bits(&s->gb, 8); av_fast_malloc(&s->slice_buf, &s->slice_size, slice_bytes + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->slice_buf) return AVERROR(ENOMEM); + if (slice_bytes * 8 > get_bits_left(&s->gb)) { + av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); + return -1; + } memcpy(s->slice_buf, s->gb.buffer + s->gb.index / 8, slice_bytes); init_get_bits(&s->gb_slice, s->slice_buf, slice_bits); -- 2.0.0 _______________________________________________ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel