On 17/11/2019 07:34, Andreas Rheinhardt wrote:
> The number of bits in a PutBitContext must fit into an int, yet nothing
> guaranteed the size argument cbs_write_unit_data() uses in init_put_bits()
> to be in the range 0..INT_MAX / 8. This has been changed.
>
> Furthermore, the check 8 * data_size > data_bit_start that there is
> data beyond the initial padding when writing mpeg2 or H.264/5 slices
> could also overflow, so divide it by 8 to get an equivalent check
> without this problem.
>
> Signed-off-by: Andreas Rheinhardt <andreas.rheinha...@gmail.com>
> ---
> libavcodec/cbs.c | 4 +++-
> libavcodec/cbs_h2645.c | 2 +-
> libavcodec/cbs_mpeg2.c | 2 +-
> 3 files changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c
> index ab3eadb534..0badb192d9 100644
> --- a/libavcodec/cbs.c
> +++ b/libavcodec/cbs.c
> @@ -309,7 +309,9 @@ static int cbs_write_unit_data(CodedBitstreamContext *ctx,
> if (ret < 0) {
> if (ret == AVERROR(ENOSPC)) {
> // Overflow.
> - ctx->write_buffer_size *= 2;
> + if (ctx->write_buffer_size == INT_MAX / 8)
> + return AVERROR(ENOMEM);
> + ctx->write_buffer_size = FFMIN(2 * ctx->write_buffer_size,
> INT_MAX / 8);
> goto reallocate_and_try_again;
> }
> // Write failed for some other reason.
> diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c
> index 923f77dcb4..88fa0029cd 100644
> --- a/libavcodec/cbs_h2645.c
> +++ b/libavcodec/cbs_h2645.c
> @@ -1101,7 +1101,7 @@ static int
> cbs_h2645_write_slice_data(CodedBitstreamContext *ctx,
> const uint8_t *pos = data + data_bit_start / 8;
>
> av_assert0(data_bit_start >= 0 &&
> - 8 * data_size > data_bit_start);
> + data_size > data_bit_start / 8);
>
> if (data_size * 8 + 8 > put_bits_left(pbc))
> return AVERROR(ENOSPC);
> diff --git a/libavcodec/cbs_mpeg2.c b/libavcodec/cbs_mpeg2.c
> index a9cc4a4cf8..13d871cc89 100644
> --- a/libavcodec/cbs_mpeg2.c
> +++ b/libavcodec/cbs_mpeg2.c
> @@ -337,7 +337,7 @@ static int cbs_mpeg2_write_slice(CodedBitstreamContext
> *ctx,
> uint8_t *pos = slice->data + slice->data_bit_start / 8;
>
> av_assert0(slice->data_bit_start >= 0 &&
> - 8 * slice->data_size > slice->data_bit_start);
> + slice->data_size > slice->data_bit_start / 8);
>
> if (slice->data_size * 8 + 8 > put_bits_left(pbc))
> return AVERROR(ENOSPC);
>
Yep, applied.
Thanks,
- Mark
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
