On Sun, Feb 26, 2017 at 12:58 PM, John Stebbins <stebb...@jetheaddev.com> wrote: > This prevents invalid writes outside put_bits' buffer. > > It also has the side effect of allowing measurement of the required > size of a buffer without the need to pre-allocate an over-sized buffer. > > This fixes a crash in aacenc.c where it could write past the end of the > allocated packet, which is allocated to be the max size allowed by the > aac spec. aacenc.c uses the above feature to check the size > of encoded data and try again when the size is too large. > --- > libavcodec/put_bits.h | 14 ++++++++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) > > diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h > index 17666fa..30b1dd2 100644 > --- a/libavcodec/put_bits.h > +++ b/libavcodec/put_bits.h > @@ -89,10 +89,14 @@ static inline void flush_put_bits(PutBitContext *s) > while (s->bit_left < 32) { > /* XXX: should test end of buffer */ > #ifdef BITSTREAM_WRITER_LE > - *s->buf_ptr++ = s->bit_buf; > + if (s->buf_ptr < s->buf_end) > + *s->buf_ptr = s->bit_buf; > + s->buf_ptr++; > s->bit_buf >>= 8; > #else > - *s->buf_ptr++ = s->bit_buf >> 24; > + if (s->buf_ptr < s->buf_end) > + *s->buf_ptr = s->bit_buf >> 24; > + s->buf_ptr++; > s->bit_buf <<= 8; > #endif > s->bit_left += 8;
shouldn't you move the buffer pointer only if it's within bounds? namely, do s->buf_ptr++; only when s->buf_ptr < s->buf_end same in the other chunk -- Vittorio _______________________________________________ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel