# HG changeset patch
# User aurel
# Date 1246807422 0
# Node ID c7c1c6b35a736fc6bbb603b61e9107399e08a93a
# Parent  de14016e0b2d45a14f791b407c086b1b92364551
vp56dec: ensure range coder won't read past the end of input buffer

diff -r de14016e0b2d -r c7c1c6b35a73 vp56.h
--- a/vp56.h	Sun Jul 05 12:14:05 2009 +0000
+++ b/vp56.h	Sun Jul 05 15:23:42 2009 +0000
@@ -50,6 +50,7 @@
     int high;
     int bits;
     const uint8_t *buffer;
+    const uint8_t *end;
     unsigned long code_word;
 } VP56RangeCoder;
 
@@ -185,6 +186,7 @@
     c->high = 255;
     c->bits = 8;
     c->buffer = buf;
+    c->end = buf + buf_size;
     c->code_word = bytestream_get_be16(&c->buffer);
 }
 
@@ -205,7 +207,7 @@
     while (c->high < 128) {
         c->high <<= 1;
         c->code_word <<= 1;
-        if (--c->bits == 0) {
+        if (--c->bits == 0 && c->buffer < c->end) {
             c->bits = 8;
             c->code_word |= *c->buffer++;
         }
@@ -228,7 +230,7 @@
 
     /* normalize */
     c->code_word <<= 1;
-    if (--c->bits == 0) {
+    if (--c->bits == 0 && c->buffer < c->end) {
         c->bits = 8;
         c->code_word |= *c->buffer++;
     }