wma: Make bitstream API more robust.

The ->buffer_end field of struct getbit_context is set but never
used. In fact, we never check bounds and happily read beyond the
supplied data buffer.

Fix this by replacing the field by ->num_bits, an integer which
is initialized in init_get_bits() to the number of bits available.
All functions which read the bitstream are modified to check bounds.

diff --git a/bitstream.h b/bitstream.h
index a6349861a55092fcdc1f957d7570621fd51e6834..3bcd2759a703ab3d62567d9da4d5ae07dfdc1a71 100644 (file)
--- a/bitstream.h
+++ b/bitstream.h
@@ -13,8 +13,8 @@
 struct getbit_context {
        /** Start of the internal buffer. */
        const uint8_t *buffer;
-       /** End of the internal buffer. */
-       const uint8_t *buffer_end;
+       /** Length of buffer in bits (always a multiple of 8). */
+       uint32_t num_bits;
        /** Bit counter. */
        int index;
 };
@@ -36,8 +36,12 @@ struct vlc {
 static inline uint32_t show_bits(struct getbit_context *gbc, int num)
 {
        int idx = gbc->index;
-       const char *p = (const char *)gbc->buffer + (idx >> 3);
-       uint32_t x = read_u32_be(p);
+       const char *p;
+       uint32_t x;
+
+       assert(idx + num <= gbc->num_bits);
+       p = (const char *)gbc->buffer + (idx >> 3);
+       x = read_u32_be(p);
        return (x << (idx & 7)) >> (32 - num);
 }
 
@@ -48,12 +52,13 @@ static inline int get_bits_count(struct getbit_context *gbc)
 
 static inline void skip_bits(struct getbit_context *gbc, int n)
 {
+       assert(gbc->index + n <= gbc->num_bits);
        gbc->index += n;
 }
 
 static inline unsigned int get_bits(struct getbit_context *gbc, int n)
 {
-       unsigned int ret = show_bits(gbc, n);
+       unsigned int ret = show_bits(gbc, n); /* checks n */
        skip_bits(gbc, n);
        return ret;
 }
@@ -61,8 +66,13 @@ static inline unsigned int get_bits(struct getbit_context *gbc, int n)
 /* This is rather hot, we can do better than get_bits(gbc, 1). */
 static inline unsigned int get_bit(struct getbit_context *gbc)
 {
-       int idx = gbc->index++;
-       uint8_t tmp = gbc->buffer[idx >> 3], mask = 1 << (7 - (idx & 7));
+       int idx;
+       uint8_t tmp, mask;
+
+       assert(gbc->index < gbc->num_bits);
+       idx = gbc->index++;
+       tmp = gbc->buffer[idx >> 3];
+       mask = 1 << (7 - (idx & 7));
        return !!(tmp & mask);
 }
 
@@ -81,7 +91,7 @@ static inline void init_get_bits(struct getbit_context *gbc,
                const uint8_t *buffer, int size)
 {
        gbc->buffer = buffer;
-       gbc->buffer_end = buffer + size;
+       gbc->num_bits = size * 8;
        gbc->index = 0;
 }