diff options
author | Ashwin Natesan <ashwin.natesan@ittiam.com> | 2023-02-20 16:52:56 +0530 |
---|---|---|
committer | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2023-02-20 08:02:26 -0800 |
commit | c38af025abf0040f6693d15f4ce2e878a728cfee (patch) | |
tree | e32d4a517b00b5a0682267691c9191d85f7fa6c6 | |
parent | 992407f6c3e77c9ff84684c77072b913eaa3152b (diff) | |
download | libavc-c38af025abf0040f6693d15f4ce2e878a728cfee.tar.gz |
svcenc: fixed incorrect streamBuf accesses
If 'u4_strm_buf_offset == 0' when 'isvce_cabac_flush' is called,
then 'carry' is implicitly 0.
'u4_strm_buf_offset == 0' implies stream buffer is empty.
Invocation of 'isvce_cabac_flush' implies all MB's in a slice
have been encoded.
BUG = ossfuzz:56137
Test: svc_enc_fuzzer
-rw-r--r-- | encoder/svc/isvce_cabac.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/encoder/svc/isvce_cabac.c b/encoder/svc/isvce_cabac.c index e36025e..3d3194d 100644 --- a/encoder/svc/isvce_cabac.c +++ b/encoder/svc/isvce_cabac.c @@ -252,6 +252,9 @@ void isvce_cabac_flush(isvce_cabac_ctxt_t *ps_cabac_ctxt) WORD32 bits_left; WORD32 rem_bits; + /* carry exists only if pu1_strm_buf has at least 1 byte of data */ + carry = carry && (u4_strm_buf_offset > 0); + if(carry) { /* CORNER CASE: if the previous data is 0x000003, then EPB will be @@ -283,7 +286,10 @@ void isvce_cabac_flush(isvce_cabac_ctxt_t *ps_cabac_ctxt) } /* clear the carry in low */ - u4_low &= ((1 << (u4_bits_gen + CABAC_BITS)) - 1); + if(carry) + { + u4_low &= ((1 << (u4_bits_gen + CABAC_BITS)) - 1); + } /* extract the remaining bits; */ /* includes additional msb bit of low as per Figure 9-12 */ |