On Sun, Feb 26, 2017 at 12:58 PM, John Stebbins <stebb...@jetheaddev.com> wrote:
> This prevents invalid writes outside put_bits' buffer.
>
> It also has the side effect of allowing measurement of the required
> size of a buffer without the need to pre-allocate an over-sized buffer.
>
> This fixes a crash in aacenc.c where it could write past the end of the
> allocated packet, which is allocated to be the max size allowed by the
> aac spec. aacenc.c uses the above feature to check the size
> of encoded data and try again when the size is too large.
> ---
> libavcodec/put_bits.h | 14 ++++++++++----
> 1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h
> index 17666fa..30b1dd2 100644
> --- a/libavcodec/put_bits.h
> +++ b/libavcodec/put_bits.h
> @@ -89,10 +89,14 @@ static inline void flush_put_bits(PutBitContext *s)
> while (s->bit_left < 32) {
> /* XXX: should test end of buffer */
> #ifdef BITSTREAM_WRITER_LE
> - *s->buf_ptr++ = s->bit_buf;
> + if (s->buf_ptr < s->buf_end)
> + *s->buf_ptr = s->bit_buf;
> + s->buf_ptr++;
> s->bit_buf >>= 8;
> #else
> - *s->buf_ptr++ = s->bit_buf >> 24;
> + if (s->buf_ptr < s->buf_end)
> + *s->buf_ptr = s->bit_buf >> 24;
> + s->buf_ptr++;
> s->bit_buf <<= 8;
> #endif
> s->bit_left += 8;
shouldn't you move the buffer pointer only if it's within bounds?
namely, do s->buf_ptr++; only when s->buf_ptr < s->buf_end
same in the other chunk
--
Vittorio
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
