On 28/02/2017 16:27, Vittorio Giovara wrote: > On Sun, Feb 26, 2017 at 12:58 PM, John Stebbins <stebb...@jetheaddev.com> > wrote: >> This prevents invalid writes outside put_bits' buffer. >> >> It also has the side effect of allowing measurement of the required >> size of a buffer without the need to pre-allocate an over-sized buffer. >> >> This fixes a crash in aacenc.c where it could write past the end of the >> allocated packet, which is allocated to be the max size allowed by the >> aac spec. aacenc.c uses the above feature to check the size >> of encoded data and try again when the size is too large. >> --- >> libavcodec/put_bits.h | 14 ++++++++++---- >> 1 file changed, 10 insertions(+), 4 deletions(-) >> >> diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h >> index 17666fa..30b1dd2 100644 >> --- a/libavcodec/put_bits.h >> +++ b/libavcodec/put_bits.h >> @@ -89,10 +89,14 @@ static inline void flush_put_bits(PutBitContext *s) >> while (s->bit_left < 32) { >> /* XXX: should test end of buffer */ >> #ifdef BITSTREAM_WRITER_LE >> - *s->buf_ptr++ = s->bit_buf; >> + if (s->buf_ptr < s->buf_end) >> + *s->buf_ptr = s->bit_buf; >> + s->buf_ptr++; >> s->bit_buf >>= 8; >> #else >> - *s->buf_ptr++ = s->bit_buf >> 24; >> + if (s->buf_ptr < s->buf_end) >> + *s->buf_ptr = s->bit_buf >> 24; >> + s->buf_ptr++; >> s->bit_buf <<= 8; >> #endif >> s->bit_left += 8; > > shouldn't you move the buffer pointer only if it's within bounds? > namely, do s->buf_ptr++; only when s->buf_ptr < s->buf_end > same in the other chunk >
We'd have to change the functions that report the nominal size written then. lu _______________________________________________ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel