From bba833496586c7b44d1015f4b45b15b863aed476 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Thu, 8 Jul 2004 00:53:21 +0000
Subject: overread fix

Originally committed as revision 3294 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/cabac.c | 1 +
 libavcodec/cabac.h | 9 +++++++--
 libavcodec/h264.c  | 4 ++--
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c
index 2ae996a39d..9d56e23fc7 100644
--- a/libavcodec/cabac.c
+++ b/libavcodec/cabac.c
@@ -93,6 +93,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size){
 void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){
     c->bytestream_start= 
     c->bytestream= buf;
+    c->bytestream_end= buf + buf_size;
 
     c->low= *c->bytestream++;
     c->low= (c->low<<9) + ((*c->bytestream++)<<1);
diff --git a/libavcodec/cabac.h b/libavcodec/cabac.h
index 05c47363d2..21085b21e8 100644
--- a/libavcodec/cabac.h
+++ b/libavcodec/cabac.h
@@ -39,6 +39,7 @@ typedef struct CABACContext{
     uint8_t mps_state[2*64];      ///< transIdxMPS
     const uint8_t *bytestream_start;
     const uint8_t *bytestream;
+    const uint8_t *bytestream_end;
     int bits_left;                ///<
     PutBitContext pb;
 }CABACContext;
@@ -253,7 +254,9 @@ static inline void renorm_cabac_decoder(CABACContext *c){
         c->range+= c->range;
         c->low+= c->low;
         if(--c->bits_left == 0){
-            c->low+= *c->bytestream++;
+            if(c->bytestream < c->bytestream_end)
+                c->low+= *c->bytestream;
+            c->bytestream++;
             c->bits_left= 8;
         }
     }
@@ -298,7 +301,9 @@ static inline int get_cabac_bypass(CABACContext *c){
     c->low += c->low;
 
     if(--c->bits_left == 0){
-        c->low+= *c->bytestream++;
+        if(c->bytestream < c->bytestream_end)
+            c->low+= *c->bytestream;
+        c->bytestream++;
         c->bits_left= 8;
     }
     
diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index c573b7996b..4d03945cd2 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -5117,7 +5117,7 @@ static int decode_slice(H264Context *h){
         ff_init_cabac_states( &h->cabac, ff_h264_lps_range, ff_h264_mps_state, ff_h264_lps_state, 64 );
         ff_init_cabac_decoder( &h->cabac,
                                s->gb.buffer + get_bits_count(&s->gb)/8,
-                               ( s->gb.size_in_bits - get_bits_count(&s->gb) ) );
+                               ( s->gb.size_in_bits - get_bits_count(&s->gb) + 7)/8);
         /* calculate pre-state */
         for( i= 0; i < 399; i++ ) {
             int pre;
@@ -5149,7 +5149,7 @@ static int decode_slice(H264Context *h){
                 s->mb_y--;
             }
 
-            if( ret < 0 ) {
+            if( ret < 0 || h->cabac.bytestream > h->cabac.bytestream_end + 1) {
                 av_log(h->s.avctx, AV_LOG_ERROR, "error while decoding MB %d %d\n", s->mb_x, s->mb_y);
                 ff_er_add_slice(s, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, (AC_ERROR|DC_ERROR|MV_ERROR)&part_mask);
                 return -1;
-- 
cgit v1.2.3