Merge commit 'b2788fe9347c02b1355574f3d28d60bfe1250ea7'
authorJames Almer <jamrial@gmail.com>
Tue, 3 Oct 2017 23:28:51 +0000 (20:28 -0300)
committerJames Almer <jamrial@gmail.com>
Tue, 3 Oct 2017 23:28:51 +0000 (20:28 -0300)
* commit 'b2788fe9347c02b1355574f3d28d60bfe1250ea7':
  svq3: fix the slice size check

Merged-by: James Almer <jamrial@gmail.com>
1  2 
libavcodec/svq3.c

@@@ -1036,32 -1031,30 +1036,31 @@@ static int svq3_decode_slice_header(AVC
          slice_bits   = slice_length * 8;
          slice_bytes  = slice_length + length - 1;
  
-         if (8LL*slice_bytes > get_bits_left(&s->gb)) {
-             av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n");
-             return -1;
-         }
 -        bitstream_skip(&s->bc, 8);
 +        skip_bits(&s->gb, 8);
  
          av_fast_malloc(&s->slice_buf, &s->slice_size, slice_bytes + AV_INPUT_BUFFER_PADDING_SIZE);
          if (!s->slice_buf)
              return AVERROR(ENOMEM);
  
 -        if (slice_bytes * 8 > bitstream_bits_left(&s->bc)) {
++        if (slice_bytes * 8LL > get_bits_left(&s->gb)) {
+             av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n");
+             return AVERROR_INVALIDDATA;
+         }
 -        memcpy(s->slice_buf, s->bc.buffer + bitstream_tell(&s->bc) / 8, slice_bytes);
 +        memcpy(s->slice_buf, s->gb.buffer + s->gb.index / 8, slice_bytes);
 +
 +        init_get_bits(&s->gb_slice, s->slice_buf, slice_bits);
  
          if (s->watermark_key) {
 -            uint32_t header = AV_RL32(&s->bc_slice.buffer[1]);
 -            AV_WL32(&s->bc_slice.buffer[1], header ^ s->watermark_key);
 +            uint32_t header = AV_RL32(&s->gb_slice.buffer[1]);
 +            AV_WL32(&s->gb_slice.buffer[1], header ^ s->watermark_key);
          }
          if (length > 0) {
 -            memcpy(s->slice_buf, &s->slice_buf[slice_length], length - 1);
 +            memmove(s->slice_buf, &s->slice_buf[slice_length], length - 1);
          }
 -        bitstream_skip(&s->bc, slice_bytes * 8);
 -        bitstream_init(&s->bc_slice, s->slice_buf, slice_bits);
 +        skip_bits_long(&s->gb, slice_bytes * 8);
      }
  
 -    if ((slice_id = get_interleaved_ue_golomb(&s->bc_slice)) >= 3) {
 +    if ((slice_id = get_interleaved_ue_golomb(&s->gb_slice)) >= 3) {
          av_log(s->avctx, AV_LOG_ERROR, "illegal slice type %u \n", slice_id);
          return -1;
      }