ffmpeg | branch: master | Michael Niedermayer <[email protected]> | Wed May 30 22:51:33 2018 +0200| [5ee203076fa1b1b5da32f525f2b6df3bd5e93b09] | committer: Michael Niedermayer
avcodec/vp3: Fix end of bitstream check in unpack_superblocks() Fixes: regression Found-by: Frank Liberato <[email protected]> Tested-by: Frank Liberato <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5ee203076fa1b1b5da32f525f2b6df3bd5e93b09 --- libavcodec/vp3.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 2050090670..0e6da89abb 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -451,6 +451,7 @@ static int unpack_superblocks(Vp3DecodeContext *s, GetBitContext *gb) int i, j; int current_fragment; int plane; + int plane0_num_coded_frags = 0; if (s->keyframe) { memset(s->superblock_coding, SB_FULLY_CODED, s->superblock_count); @@ -543,8 +544,8 @@ static int unpack_superblocks(Vp3DecodeContext *s, GetBitContext *gb) : s->y_superblock_count); int num_coded_frags = 0; - for (i = sb_start; i < sb_end; i++) { - if (get_bits_left(gb) < ((s->total_num_coded_frags + num_coded_frags) >> 2)) { + for (i = sb_start; i < sb_end && get_bits_left(gb) > 0; i++) { + if (s->keyframe == 0 && get_bits_left(gb) < plane0_num_coded_frags >> 2) { return AVERROR_INVALIDDATA; } /* iterate through all 16 fragments in a superblock */ @@ -579,6 +580,8 @@ static int unpack_superblocks(Vp3DecodeContext *s, GetBitContext *gb) } } } + if (!plane) + plane0_num_coded_frags = num_coded_frags; s->total_num_coded_frags += num_coded_frags; for (i = 0; i < 64; i++) s->num_coded_frags[plane][i] = num_coded_frags; _______________________________________________ ffmpeg-cvslog mailing list [email protected] http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
