Commit d71d6c5f authored by aurel's avatar aurel

vp56dec: ensure range coder won't read past the end of input buffer

git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19348 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
parent 47f2972b
...@@ -50,6 +50,7 @@ typedef struct { ...@@ -50,6 +50,7 @@ typedef struct {
int high; int high;
int bits; int bits;
const uint8_t *buffer; const uint8_t *buffer;
const uint8_t *end;
unsigned long code_word; unsigned long code_word;
} VP56RangeCoder; } VP56RangeCoder;
...@@ -185,6 +186,7 @@ static inline void vp56_init_range_decoder(VP56RangeCoder *c, ...@@ -185,6 +186,7 @@ static inline void vp56_init_range_decoder(VP56RangeCoder *c,
c->high = 255; c->high = 255;
c->bits = 8; c->bits = 8;
c->buffer = buf; c->buffer = buf;
c->end = buf + buf_size;
c->code_word = bytestream_get_be16(&c->buffer); c->code_word = bytestream_get_be16(&c->buffer);
} }
...@@ -205,7 +207,7 @@ static inline int vp56_rac_get_prob(VP56RangeCoder *c, uint8_t prob) ...@@ -205,7 +207,7 @@ static inline int vp56_rac_get_prob(VP56RangeCoder *c, uint8_t prob)
while (c->high < 128) { while (c->high < 128) {
c->high <<= 1; c->high <<= 1;
c->code_word <<= 1; c->code_word <<= 1;
if (--c->bits == 0) { if (--c->bits == 0 && c->buffer < c->end) {
c->bits = 8; c->bits = 8;
c->code_word |= *c->buffer++; c->code_word |= *c->buffer++;
} }
...@@ -228,7 +230,7 @@ static inline int vp56_rac_get(VP56RangeCoder *c) ...@@ -228,7 +230,7 @@ static inline int vp56_rac_get(VP56RangeCoder *c)
/* normalize */ /* normalize */
c->code_word <<= 1; c->code_word <<= 1;
if (--c->bits == 0) { if (--c->bits == 0 && c->buffer < c->end) {
c->bits = 8; c->bits = 8;
c->code_word |= *c->buffer++; c->code_word |= *c->buffer++;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment