diff options
| author | Ewald Snel <esnel@users.sourceforge.net> | 2003-01-01 15:25:15 +0000 |
|---|---|---|
| committer | Ewald Snel <esnel@users.sourceforge.net> | 2003-01-01 15:25:15 +0000 |
| commit | 3b049270e80f9db5949ecf9932a33dd5d3cac3ba (patch) | |
| tree | d2c3507da9146c89228ff3a5966d4f35a2d41f87 /src | |
| parent | 7cdf4b8f6be2b72951ea40e8f3056cad739547da (diff) | |
| download | xine-lib-3b049270e80f9db5949ecf9932a33dd5d3cac3ba.tar.gz xine-lib-3b049270e80f9db5949ecf9932a33dd5d3cac3ba.tar.bz2 | |
Fix another possible input buffer overflow problem
CVS patchset: 3740
CVS date: 2003/01/01 15:25:15
Diffstat (limited to 'src')
| -rw-r--r-- | src/libxinevdec/svq1.c | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/src/libxinevdec/svq1.c b/src/libxinevdec/svq1.c index 9121ae85e..9ba4477be 100644 --- a/src/libxinevdec/svq1.c +++ b/src/libxinevdec/svq1.c @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA * - * $Id: svq1.c,v 1.21 2003/01/01 15:20:14 esnel Exp $ + * $Id: svq1.c,v 1.22 2003/01/01 15:25:15 esnel Exp $ */ #include <stdio.h> @@ -611,11 +611,23 @@ static uint32_t get_bits (bit_buffer_t *bitbuf, int count) { static uint32_t get_bit_cache(bit_buffer_t *bitbuf) { uint32_t result; - /* load 32 bits of data (byte-aligned) */ - result = BE_32 (&bitbuf->buffer[bitbuf->bitpos >> 3]); + /* avoid buffer overflow */ + if ((bitbuf->bitpos + 24) >= bitbuf->length) { + int i; + + /* load upto 24 bits of data on sub-byte offset */ + result = 0; + + for (i=(bitbuf->bitpos & ~0x7); i < bitbuf->length; i+=8) { + result |= bitbuf->buffer[i >> 3] << (24 + (bitbuf->bitpos - i)); + } + } else { + /* load 32 bits of data (byte-aligned) */ + result = BE_32 (&bitbuf->buffer[bitbuf->bitpos >> 3]); - /* compensate for sub-byte offset */ - result <<= (bitbuf->bitpos & 0x7); + /* compensate for sub-byte offset */ + result <<= (bitbuf->bitpos & 0x7); + } return result; } |