[xiph-commits] r14546 - in trunk: ogg/src theora/lib/dec

Thu Feb 28 17:14:05 PST 2008

Author: tterribe
Date: 2008-02-28 17:14:05 -0800 (Thu, 28 Feb 2008)
New Revision: 14546

Modified:
   trunk/ogg/src/bitwise.c
   trunk/theora/lib/dec/bitwise.c
Log:
Fix possible read past the end of the buffer when reading 0 bits.


Modified: trunk/ogg/src/bitwise.c
===================================================================

--- trunk/ogg/src/bitwise.c	2008-02-28 02:16:23 UTC (rev 14545)
+++ trunk/ogg/src/bitwise.c	2008-02-29 01:14:05 UTC (rev 14546)
@@ -355,6 +355,9 @@
     /* not the main path */
     ret=-1L;
     if(b->endbyte*8+bits>b->storage*8)goto overflow;
+    /* special case to avoid reading b->ptr[0], which might be past the end of
+        the buffer; also skips some useless accounting */
+    else if(!bits)return(0L);
   }
   
   ret=b->ptr[0]<<(24+b->endbit);

Modified: trunk/theora/lib/dec/bitwise.c
===================================================================
--- trunk/theora/lib/dec/bitwise.c	2008-02-28 02:16:23 UTC (rev 14545)
+++ trunk/theora/lib/dec/bitwise.c	2008-02-29 01:14:05 UTC (rev 14546)
@@ -65,6 +65,12 @@
       fail=-1;
       goto overflow;
     }
+    /* special case to avoid reading b->ptr[0], which might be past the end of
+        the buffer; also skips some useless accounting */
+    else if(!bits){
+      *_ret=0L;
+      return 0;
+    }
   }
   ret=b->ptr[0]<<(24+b->endbit);
   if(bits>8){

