[FFmpeg-devel] [PATCH] Fixed size given to init_get_bits() in xan decoder.

Michael Niedermayer michaelni at gmx.at
Sat Sep 10 01:37:44 CEST 2011


On Sat, Sep 10, 2011 at 12:40:31AM +0200, Laurent Aimar wrote:
> See the title.
[...]

> @@ -270,7 +271,8 @@ static void xan_wc3_decode_frame(XanContext *s) {
>      vector_segment =    s->buf + AV_RL16(&s->buf[4]);
>      imagedata_segment = s->buf + AV_RL16(&s->buf[6]);
>  
> -    xan_huffman_decode(opcode_buffer, huffman_segment, opcode_buffer_size);
> +    xan_huffman_decode(opcode_buffer, opcode_buffer_size,
> +                       huffman_segment, s->size - (huffman_segment - s->buf) );

something like the following could be used to find a tighter size bound
unsigned hsize= s->size - AV_RL16(s->buf);
for(i=2; i<8; i+=2)
    hsize= FFMIN(hsize, AV_RL16(s->buf+i) - AV_RL16(s->buf));

also either way it needs something like:
for(i=0; i<8; i+=2)
    if(AV_RL16(s->buf+i) >= s->size)
        return -1;

without that the size could become negative, which doesnt seem right to
me

otherwise LGTM

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I do not agree with what you have to say, but I'll defend to the death your
right to say it. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20110910/f6973854/attachment.asc>


More information about the ffmpeg-devel mailing list