This prevents invalid writes outside put_bits' buffer.
It also has the side effect of allowing measurement of the required
size of a buffer without the need to pre-allocate an over-sized buffer.
This fixes a crash in aacenc.c where it could write past the end of the
allocated packet, which is allocated to be the max size allowed by the
aac spec. aacenc.c uses the above feature to check the size
of encoded data and try again when the size is too large.
---
libavcodec/put_bits.h | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h
index 17666fa..30b1dd2 100644
--- a/libavcodec/put_bits.h
+++ b/libavcodec/put_bits.h
@@ -89,10 +89,14 @@ static inline void flush_put_bits(PutBitContext *s)
while (s->bit_left < 32) {
/* XXX: should test end of buffer */
#ifdef BITSTREAM_WRITER_LE
- *s->buf_ptr++ = s->bit_buf;
+ if (s->buf_ptr < s->buf_end)
+ *s->buf_ptr = s->bit_buf;
+ s->buf_ptr++;
s->bit_buf >>= 8;
#else
- *s->buf_ptr++ = s->bit_buf >> 24;
+ if (s->buf_ptr < s->buf_end)
+ *s->buf_ptr = s->bit_buf >> 24;
+ s->buf_ptr++;
s->bit_buf <<= 8;
#endif
s->bit_left += 8;
@@ -145,7 +149,8 @@ static inline void put_bits(PutBitContext *s, int n,
unsigned int value)
#ifdef BITSTREAM_WRITER_LE
bit_buf |= value << (32 - bit_left);
if (n >= bit_left) {
- AV_WL32(s->buf_ptr, bit_buf);
+ if (s->buf_ptr < s->buf_end)
+ AV_WL32(s->buf_ptr, bit_buf);
s->buf_ptr += 4;
bit_buf = (bit_left == 32) ? 0 : value >> bit_left;
bit_left += 32;
@@ -158,7 +163,8 @@ static inline void put_bits(PutBitContext *s, int n,
unsigned int value)
} else {
bit_buf <<= bit_left;
bit_buf |= value >> (n - bit_left);
- AV_WB32(s->buf_ptr, bit_buf);
+ if (s->buf_ptr < s->buf_end)
+ AV_WB32(s->buf_ptr, bit_buf);
s->buf_ptr += 4;
bit_left += 32 - n;
bit_buf = value;
--
2.9.3
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
