Browse code
lavc: check for overflow in init_get_bits
Fix an undefined behaviour and make the function return a proper
error in case of overflow.
CC: libav-stable@libav.org
(cherry picked from commit d9cf5f516974c64e01846ca685301014b38cf224)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 7a2ee770f520ae4fd5f009cfc361a18e993dec91)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Luca Barbato authored on 2013/01/14 03:52:45Showing 1 changed files
| ... | ... |
@@ -344,20 +344,27 @@ static inline int check_marker(GetBitContext *s, const char *msg) |
| 344 | 344 |
} |
| 345 | 345 |
|
| 346 | 346 |
/** |
| 347 |
- * Inititalize GetBitContext. |
|
| 348 |
- * @param buffer bitstream buffer, must be FF_INPUT_BUFFER_PADDING_SIZE bytes larger than the actual read bits |
|
| 349 |
- * because some optimized bitstream readers read 32 or 64 bit at once and could read over the end |
|
| 347 |
+ * Initialize GetBitContext. |
|
| 348 |
+ * @param buffer bitstream buffer, must be FF_INPUT_BUFFER_PADDING_SIZE bytes |
|
| 349 |
+ * larger than the actual read bits because some optimized bitstream |
|
| 350 |
+ * readers read 32 or 64 bit at once and could read over the end |
|
| 350 | 351 |
* @param bit_size the size of the buffer in bits |
| 352 |
+ * @return 0 on success, AVERROR_INVALIDDATA if the buffer_size would overflow. |
|
| 351 | 353 |
*/ |
| 352 |
-static inline void init_get_bits(GetBitContext *s, const uint8_t *buffer, |
|
| 353 |
- int bit_size) |
|
| 354 |
+static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer, |
|
| 355 |
+ int bit_size) |
|
| 354 | 356 |
{
|
| 355 |
- int buffer_size = (bit_size+7)>>3; |
|
| 356 |
- if (buffer_size < 0 || bit_size < 0) {
|
|
| 357 |
+ int buffer_size; |
|
| 358 |
+ int ret = 0; |
|
| 359 |
+ |
|
| 360 |
+ if (bit_size > INT_MAX - 7 || bit_size <= 0) {
|
|
| 357 | 361 |
buffer_size = bit_size = 0; |
| 358 | 362 |
buffer = NULL; |
| 363 |
+ ret = AVERROR_INVALIDDATA; |
|
| 359 | 364 |
} |
| 360 | 365 |
|
| 366 |
+ buffer_size = (bit_size + 7) >> 3; |
|
| 367 |
+ |
|
| 361 | 368 |
s->buffer = buffer; |
| 362 | 369 |
s->size_in_bits = bit_size; |
| 363 | 370 |
#if !UNCHECKED_BITSTREAM_READER |
| ... | ... |
@@ -365,6 +372,7 @@ static inline void init_get_bits(GetBitContext *s, const uint8_t *buffer, |
| 365 | 365 |
#endif |
| 366 | 366 |
s->buffer_end = buffer + buffer_size; |
| 367 | 367 |
s->index = 0; |
| 368 |
+ return ret; |
|
| 368 | 369 |
} |
| 369 | 370 |
|
| 370 | 371 |
static inline void align_get_bits(GetBitContext *s) |