Re: [libav-devel] [PATCH] svq3: fix the slice size check
On 14/02/2017 21:02, Anton Khirnov wrote: > Currently it incorrectly compares bits with bytes. > > Also, move the check right before where it's relevant, so that the > correct number of remaining bits is used. > > CC: libav-sta...@libav.org > --- > libavcodec/svq3.c | 9 - > 1 file changed, 4 insertions(+), 5 deletions(-) > > diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c > index 20c8f89..667d390 100644 > --- a/libavcodec/svq3.c > +++ b/libavcodec/svq3.c > @@ -1031,17 +1031,16 @@ static int svq3_decode_slice_header(AVCodecContext > *avctx) > slice_bits = slice_length * 8; > slice_bytes = slice_length + length - 1; > > -if (slice_bytes > bitstream_bits_left(>bc)) { > -av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); > -return -1; > -} > - > bitstream_skip(>bc, 8); > > av_fast_malloc(>slice_buf, >slice_size, slice_bytes + > AV_INPUT_BUFFER_PADDING_SIZE); > if (!s->slice_buf) > return AVERROR(ENOMEM); > > +if (slice_bytes * 8 > bitstream_bits_left(>bc)) { > +av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); > +return AVERROR_INVALIDDATA; > +} I'd keep it before the fast malloc though. lu ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH] svq3: fix the slice size check
Currently it incorrectly compares bits with bytes. Also, move the check right before where it's relevant, so that the correct number of remaining bits is used. CC: libav-sta...@libav.org --- libavcodec/svq3.c | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 20c8f89..667d390 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1031,17 +1031,16 @@ static int svq3_decode_slice_header(AVCodecContext *avctx) slice_bits = slice_length * 8; slice_bytes = slice_length + length - 1; -if (slice_bytes > bitstream_bits_left(>bc)) { -av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); -return -1; -} - bitstream_skip(>bc, 8); av_fast_malloc(>slice_buf, >slice_size, slice_bytes + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->slice_buf) return AVERROR(ENOMEM); +if (slice_bytes * 8 > bitstream_bits_left(>bc)) { +av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); +return AVERROR_INVALIDDATA; +} memcpy(s->slice_buf, s->bc.buffer + bitstream_tell(>bc) / 8, slice_bytes); if (s->watermark_key) { -- 2.0.0 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
Re: [libav-devel] [PATCH] svq3: fix the slice size check
On Wed, Feb 1, 2017 at 11:52 AM, Anton Khirnovwrote: > Currently it incorrectly compares bits with bytes. > > Also, move the check right before where it's relevant, so that the > correct number of remaining bits is used. > > CC: libav-sta...@libav.org > --- > libavcodec/svq3.c | 9 - > 1 file changed, 4 insertions(+), 5 deletions(-) > > diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c > index 8bbd331..f8143a2 100644 > --- a/libavcodec/svq3.c > +++ b/libavcodec/svq3.c > @@ -1030,17 +1030,16 @@ static int svq3_decode_slice_header(AVCodecContext > *avctx) > slice_bits = slice_length * 8; > slice_bytes = slice_length + length - 1; > > -if (slice_bytes > get_bits_left(>gb)) { > -av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); > -return -1; > -} > - > skip_bits(>gb, 8); > > av_fast_malloc(>slice_buf, >slice_size, slice_bytes + > AV_INPUT_BUFFER_PADDING_SIZE); > if (!s->slice_buf) > return AVERROR(ENOMEM); > > +if (slice_bytes * 8 > get_bits_left(>gb)) { > +av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); > +return -1; > +} > memcpy(s->slice_buf, s->gb.buffer + s->gb.index / 8, slice_bytes); > > init_get_bits(>gb_slice, s->slice_buf, slice_bits); > -- ok, can you also change the returned error to AVERROR_INVALIDDATA? -- Vittorio ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH] svq3: fix the slice size check
Currently it incorrectly compares bits with bytes. Also, move the check right before where it's relevant, so that the correct number of remaining bits is used. CC: libav-sta...@libav.org --- libavcodec/svq3.c | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 8bbd331..f8143a2 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1030,17 +1030,16 @@ static int svq3_decode_slice_header(AVCodecContext *avctx) slice_bits = slice_length * 8; slice_bytes = slice_length + length - 1; -if (slice_bytes > get_bits_left(>gb)) { -av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); -return -1; -} - skip_bits(>gb, 8); av_fast_malloc(>slice_buf, >slice_size, slice_bytes + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->slice_buf) return AVERROR(ENOMEM); +if (slice_bytes * 8 > get_bits_left(>gb)) { +av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n"); +return -1; +} memcpy(s->slice_buf, s->gb.buffer + s->gb.index / 8, slice_bytes); init_get_bits(>gb_slice, s->slice_buf, slice_bits); -- 2.0.0 ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel