libopusdec: fix out-of-bounds read

[ffmpeg] / libavcodec / proresdec.c

diff --git a/libavcodec/proresdec.c b/libavcodec/proresdec.c
index 1bbe267ec387441aba73b5670518072282b548d6..8a53719d9fae93b729f1c5929708fdf162159c71 100644 (file)
--- a/libavcodec/proresdec.c
+++ b/libavcodec/proresdec.c
@@ -365,6 +365,7 @@ static inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out,
     }
 }
 
+#define MAX_PADDING 16
 
 /**
  * Decode AC coefficients for all blocks in a slice.
@@ -389,7 +390,7 @@ static inline int decode_ac_coeffs(GetBitContext *gb, int16_t *out,
         lev_cb_index = ff_prores_lev_to_cb_index[FFMIN(level, 9)];
 
         bits_left = get_bits_left(gb);
-        if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left)))
+        if (bits_left <= 0 || (bits_left <= MAX_PADDING && !show_bits(gb, bits_left)))
             return 0;
 
         run = decode_vlc_codeword(gb, ff_prores_ac_codebook[run_cb_index]);
@@ -397,7 +398,7 @@ static inline int decode_ac_coeffs(GetBitContext *gb, int16_t *out,
             return AVERROR_INVALIDDATA;
 
         bits_left = get_bits_left(gb);
-        if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left)))
+        if (bits_left <= 0 || (bits_left <= MAX_PADDING && !show_bits(gb, bits_left)))
             return AVERROR_INVALIDDATA;
 
         level = decode_vlc_codeword(gb, ff_prores_ac_codebook[lev_cb_index]) + 1;
@@ -777,5 +778,5 @@ AVCodec ff_prores_decoder = {
     .init           = decode_init,
     .close          = decode_close,
     .decode         = decode_frame,
-    .capabilities   = CODEC_CAP_DR1 | CODEC_CAP_SLICE_THREADS,
+    .capabilities   = AV_CODEC_CAP_DR1 | AV_CODEC_CAP_SLICE_THREADS,
 };