svq3: fix the slice size check

Message ID 20170226062536.F0DB95DB04@aruru.libav.org
State New
Headers show

Commit Message

Janne Grunau Feb. 26, 2017, 6:25 a.m.
Module: libav
Branch: master
Commit: b2788fe9347c02b1355574f3d28d60bfe1250ea7

Author:    Anton Khirnov <anton@khirnov.net>
Committer: Anton Khirnov <anton@khirnov.net>
Date:      Wed Feb  1 11:50:38 2017 +0100

svq3: fix the slice size check

Currently it incorrectly compares bits with bytes.

Also, move the check right before where it's relevant, so that the
correct number of remaining bits is used.

CC: libav-stable@libav.org

---

 libavcodec/svq3.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

Patch

diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c
index 20c8f89..667d390 100644
--- a/libavcodec/svq3.c
+++ b/libavcodec/svq3.c
@@ -1031,17 +1031,16 @@  static int svq3_decode_slice_header(AVCodecContext *avctx)
         slice_bits   = slice_length * 8;
         slice_bytes  = slice_length + length - 1;
 
-        if (slice_bytes > bitstream_bits_left(&s->bc)) {
-            av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n");
-            return -1;
-        }
-
         bitstream_skip(&s->bc, 8);
 
         av_fast_malloc(&s->slice_buf, &s->slice_size, slice_bytes + AV_INPUT_BUFFER_PADDING_SIZE);
         if (!s->slice_buf)
             return AVERROR(ENOMEM);
 
+        if (slice_bytes * 8 > bitstream_bits_left(&s->bc)) {
+            av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n");
+            return AVERROR_INVALIDDATA;
+        }
         memcpy(s->slice_buf, s->bc.buffer + bitstream_tell(&s->bc) / 8, slice_bytes);
 
         if (s->watermark_key) {