Commit 5ee20307 authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/vp3: Fix end of bitstream check in unpack_superblocks()

Fixes: regression
Found-by: 's avatarFrank Liberato <liberato@google.com>
Tested-by: 's avatarFrank Liberato <liberato@google.com>
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent af310843
...@@ -451,6 +451,7 @@ static int unpack_superblocks(Vp3DecodeContext *s, GetBitContext *gb) ...@@ -451,6 +451,7 @@ static int unpack_superblocks(Vp3DecodeContext *s, GetBitContext *gb)
int i, j; int i, j;
int current_fragment; int current_fragment;
int plane; int plane;
int plane0_num_coded_frags = 0;
if (s->keyframe) { if (s->keyframe) {
memset(s->superblock_coding, SB_FULLY_CODED, s->superblock_count); memset(s->superblock_coding, SB_FULLY_CODED, s->superblock_count);
...@@ -543,8 +544,8 @@ static int unpack_superblocks(Vp3DecodeContext *s, GetBitContext *gb) ...@@ -543,8 +544,8 @@ static int unpack_superblocks(Vp3DecodeContext *s, GetBitContext *gb)
: s->y_superblock_count); : s->y_superblock_count);
int num_coded_frags = 0; int num_coded_frags = 0;
for (i = sb_start; i < sb_end; i++) { for (i = sb_start; i < sb_end && get_bits_left(gb) > 0; i++) {
if (get_bits_left(gb) < ((s->total_num_coded_frags + num_coded_frags) >> 2)) { if (s->keyframe == 0 && get_bits_left(gb) < plane0_num_coded_frags >> 2) {
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
/* iterate through all 16 fragments in a superblock */ /* iterate through all 16 fragments in a superblock */
...@@ -579,6 +580,8 @@ static int unpack_superblocks(Vp3DecodeContext *s, GetBitContext *gb) ...@@ -579,6 +580,8 @@ static int unpack_superblocks(Vp3DecodeContext *s, GetBitContext *gb)
} }
} }
} }
if (!plane)
plane0_num_coded_frags = num_coded_frags;
s->total_num_coded_frags += num_coded_frags; s->total_num_coded_frags += num_coded_frags;
for (i = 0; i < 64; i++) for (i = 0; i < 64; i++)
s->num_coded_frags[plane][i] = num_coded_frags; s->num_coded_frags[plane][i] = num_coded_frags;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment