[Ffmpeg-devel] [PATCH] fix jpegls unitialized data reading

[Reimar Döffinger]

Hello,
On Sun, Dec 10, 2006 at 11:10:23AM +0100, Reimar D?ffinger wrote:
> On Sun, Dec 10, 2006 at 02:28:37AM +0100, Michael Niedermayer wrote:
> > > Sorry, yet another correction. init_get_bits should get the larger size,
> > > too, in case somebody adds thorough checking of get_bits limits e.g. for
> > > debugging purposes.
> > 
> > hmm what about align_put_bits() ?
> 
> No, the flush_put_bits already does that implicitly, that is not the
> problem (on thinking again, this might actually be a bug
> that causes too many bits to be written by the encoder).
> The problem is that due to escaping sometimes only 7 bits are
> read. So this means you might end up with exactly one bit left to write,
> i.e. get_bits_count(&gb) == size * 8 - 1, which means you overread by 7
> bits.

To be more precise:
As I understand the spec, the attached patch should give correct output,
there is nothing to suggest that the unescaped bitstream must be
byte-aligned.
Also, the previous code had the bug of giving the size to init_get_bits
in bytes instead of bits.
In difference to the other patches, this does change the regression test
checksum though, to dca9d700da7857217408c310c501b9bc

Greetings,
Reimar D?ffinger
-------------- next part --------------
Index: libavcodec/jpeg_ls.c
===================================================================
--- libavcodec/jpeg_ls.c	(revision 7266)
+++ libavcodec/jpeg_ls.c	(working copy)
@@ -804,11 +804,13 @@
     av_free(zero);
     av_free(state);
 
+    put_bits(&pb2, 7, 0);
+    size = put_bits_count(&pb2);
     flush_put_bits(&pb2);
     /* do escape coding */
-    size = put_bits_count(&pb2) >> 3;
     init_get_bits(&gb, buf2, size);
-    while(get_bits_count(&gb) < size * 8){
+    size -= 7;
+    while(get_bits_count(&gb) < size){
         int v;
         v = get_bits(&gb, 8);
         put_bits(&pb, 8, v);