| Message ID | 20171017221159.2349-3-sw@jkqxz.net |
|---|---|
| State | Accepted |
| Commit | c37de519202ac2e5f20141673081b0e6b57ab983 |
| Headers | show |
On 17 October 2017 at 23:11, Mark Thompson <sw@jkqxz.net> wrote: > This can trigger a single-byte overread if the codebook has the maximum > number of entries. > > Fixes #6743. > --- > libavcodec/vorbis.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c > index 399020eec5..ce23b947f0 100644 > --- a/libavcodec/vorbis.c > +++ b/libavcodec/vorbis.c > @@ -58,7 +58,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, > unsigned num) > uint32_t exit_at_level[33] = { 404 }; > unsigned i, j, p, code; > > - for (p = 0; (bits[p] == 0) && (p < num); ++p) > + for (p = 0; (p < num) && (bits[p] == 0); ++p) > ; > if (p == num) > return 0; > @@ -71,7 +71,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, > unsigned num) > > ++p; > > - for (i = p; (bits[i] == 0) && (i < num); ++i) > + for (i = p; (i < num) && (bits[i] == 0); ++i) > ; > if (i == num) > return 0; > -- > 2.11.0 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > LGTM I'll get around to merging the psy stuff one of these days
diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 399020eec5..ce23b947f0 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -58,7 +58,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) uint32_t exit_at_level[33] = { 404 }; unsigned i, j, p, code; - for (p = 0; (bits[p] == 0) && (p < num); ++p) + for (p = 0; (p < num) && (bits[p] == 0); ++p) ; if (p == num) return 0; @@ -71,7 +71,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) ++p; - for (i = p; (bits[i] == 0) && (i < num); ++i) + for (i = p; (i < num) && (bits[i] == 0); ++i) ; if (i == num) return 0;