On 28/02/2017 16:27, Vittorio Giovara wrote:
> On Sun, Feb 26, 2017 at 12:58 PM, John Stebbins <stebb...@jetheaddev.com>
> wrote:
>> This prevents invalid writes outside put_bits' buffer.
>>
>> It also has the side effect of allowing measurement of the required
>> size of a buffer without the need to pre-allocate an over-sized buffer.
>>
>> This fixes a crash in aacenc.c where it could write past the end of the
>> allocated packet, which is allocated to be the max size allowed by the
>> aac spec. aacenc.c uses the above feature to check the size
>> of encoded data and try again when the size is too large.
>> ---
>> libavcodec/put_bits.h | 14 ++++++++++----
>> 1 file changed, 10 insertions(+), 4 deletions(-)
>>
>> diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h
>> index 17666fa..30b1dd2 100644
>> --- a/libavcodec/put_bits.h
>> +++ b/libavcodec/put_bits.h
>> @@ -89,10 +89,14 @@ static inline void flush_put_bits(PutBitContext *s)
>> while (s->bit_left < 32) {
>> /* XXX: should test end of buffer */
>> #ifdef BITSTREAM_WRITER_LE
>> - *s->buf_ptr++ = s->bit_buf;
>> + if (s->buf_ptr < s->buf_end)
>> + *s->buf_ptr = s->bit_buf;
>> + s->buf_ptr++;
>> s->bit_buf >>= 8;
>> #else
>> - *s->buf_ptr++ = s->bit_buf >> 24;
>> + if (s->buf_ptr < s->buf_end)
>> + *s->buf_ptr = s->bit_buf >> 24;
>> + s->buf_ptr++;
>> s->bit_buf <<= 8;
>> #endif
>> s->bit_left += 8;
>
> shouldn't you move the buffer pointer only if it's within bounds?
> namely, do s->buf_ptr++; only when s->buf_ptr < s->buf_end
> same in the other chunk
>
We'd have to change the functions that report the nominal size written then.
lu
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
