Currently it incorrectly compares bits with bytes.
Also, move the check right before where it's relevant, so that the
correct number of remaining bits is used.
CC: libav-sta...@libav.org
---
libavcodec/svq3.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c
index 8bbd331..f8143a2 100644
--- a/libavcodec/svq3.c
+++ b/libavcodec/svq3.c
@@ -1030,17 +1030,16 @@ static int svq3_decode_slice_header(AVCodecContext
*avctx)
slice_bits = slice_length * 8;
slice_bytes = slice_length + length - 1;
- if (slice_bytes > get_bits_left(&s->gb)) {
- av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n");
- return -1;
- }
-
skip_bits(&s->gb, 8);
av_fast_malloc(&s->slice_buf, &s->slice_size, slice_bytes +
AV_INPUT_BUFFER_PADDING_SIZE);
if (!s->slice_buf)
return AVERROR(ENOMEM);
+ if (slice_bytes * 8 > get_bits_left(&s->gb)) {
+ av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n");
+ return -1;
+ }
memcpy(s->slice_buf, s->gb.buffer + s->gb.index / 8, slice_bytes);
init_get_bits(&s->gb_slice, s->slice_buf, slice_bits);
--
2.0.0
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
