This prevents invalid writes outside put_bits' buffer. It also has the side effect of allowing measurement of the required size of a buffer without the need to pre-allocate an over-sized buffer.
This fixes a crash in aacenc.c where it could write past the end of the allocated packet, which is allocated to be the max size allowed by the aac spec. aacenc.c uses the above feature to check the size of encoded data and try again when the size is too large. --- libavcodec/put_bits.h | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index 17666fa..30b1dd2 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -89,10 +89,14 @@ static inline void flush_put_bits(PutBitContext *s) while (s->bit_left < 32) { /* XXX: should test end of buffer */ #ifdef BITSTREAM_WRITER_LE - *s->buf_ptr++ = s->bit_buf; + if (s->buf_ptr < s->buf_end) + *s->buf_ptr = s->bit_buf; + s->buf_ptr++; s->bit_buf >>= 8; #else - *s->buf_ptr++ = s->bit_buf >> 24; + if (s->buf_ptr < s->buf_end) + *s->buf_ptr = s->bit_buf >> 24; + s->buf_ptr++; s->bit_buf <<= 8; #endif s->bit_left += 8; @@ -145,7 +149,8 @@ static inline void put_bits(PutBitContext *s, int n, unsigned int value) #ifdef BITSTREAM_WRITER_LE bit_buf |= value << (32 - bit_left); if (n >= bit_left) { - AV_WL32(s->buf_ptr, bit_buf); + if (s->buf_ptr < s->buf_end) + AV_WL32(s->buf_ptr, bit_buf); s->buf_ptr += 4; bit_buf = (bit_left == 32) ? 0 : value >> bit_left; bit_left += 32; @@ -158,7 +163,8 @@ static inline void put_bits(PutBitContext *s, int n, unsigned int value) } else { bit_buf <<= bit_left; bit_buf |= value >> (n - bit_left); - AV_WB32(s->buf_ptr, bit_buf); + if (s->buf_ptr < s->buf_end) + AV_WB32(s->buf_ptr, bit_buf); s->buf_ptr += 4; bit_left += 32 - n; bit_buf = value; -- 2.9.3 _______________________________________________ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel