From ac0008f1cb23e38c71b1074390ea530393cc8269 Mon Sep 17 00:00:00 2001 From: Andre Noll Date: Mon, 5 Jun 2017 16:52:37 +0200 Subject: [PATCH] wma: Make bitstream API more robust. The ->buffer_end field of struct getbit_context is set but never used. In fact, we never check bounds and happily read beyond the supplied data buffer. Fix this by replacing the field by ->num_bits, an integer which is initialized in init_get_bits() to the number of bits available. All functions which read the bitstream are modified to check bounds. --- bitstream.h | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/bitstream.h b/bitstream.h index a6349861..3bcd2759 100644 --- a/bitstream.h +++ b/bitstream.h @@ -13,8 +13,8 @@ struct getbit_context { /** Start of the internal buffer. */ const uint8_t *buffer; - /** End of the internal buffer. */ - const uint8_t *buffer_end; + /** Length of buffer in bits (always a multiple of 8). */ + uint32_t num_bits; /** Bit counter. */ int index; }; @@ -36,8 +36,12 @@ struct vlc { static inline uint32_t show_bits(struct getbit_context *gbc, int num) { int idx = gbc->index; - const char *p = (const char *)gbc->buffer + (idx >> 3); - uint32_t x = read_u32_be(p); + const char *p; + uint32_t x; + + assert(idx + num <= gbc->num_bits); + p = (const char *)gbc->buffer + (idx >> 3); + x = read_u32_be(p); return (x << (idx & 7)) >> (32 - num); } @@ -48,12 +52,13 @@ static inline int get_bits_count(struct getbit_context *gbc) static inline void skip_bits(struct getbit_context *gbc, int n) { + assert(gbc->index + n <= gbc->num_bits); gbc->index += n; } static inline unsigned int get_bits(struct getbit_context *gbc, int n) { - unsigned int ret = show_bits(gbc, n); + unsigned int ret = show_bits(gbc, n); /* checks n */ skip_bits(gbc, n); return ret; } @@ -61,8 +66,13 @@ static inline unsigned int get_bits(struct getbit_context *gbc, int n) /* This is rather hot, we can do better than get_bits(gbc, 1). */ static inline unsigned int get_bit(struct getbit_context *gbc) { - int idx = gbc->index++; - uint8_t tmp = gbc->buffer[idx >> 3], mask = 1 << (7 - (idx & 7)); + int idx; + uint8_t tmp, mask; + + assert(gbc->index < gbc->num_bits); + idx = gbc->index++; + tmp = gbc->buffer[idx >> 3]; + mask = 1 << (7 - (idx & 7)); return !!(tmp & mask); } @@ -81,7 +91,7 @@ static inline void init_get_bits(struct getbit_context *gbc, const uint8_t *buffer, int size) { gbc->buffer = buffer; - gbc->buffer_end = buffer + size; + gbc->num_bits = size * 8; gbc->index = 0; } -- 2.39.5