From 96ad0e0aefa6cc9503f64115365820fea80d3598 Mon Sep 17 00:00:00 2001
From: Urvang Joshi <urvang@google.com>
Date: Wed, 30 Oct 2013 16:33:36 -0700
Subject: [PATCH] VPLBitReader bugfix: Catch error if bit_pos > LBITS too.

Earlier we were only testing for bit_pos == LBITS. But this is not
sufficient,
as bit_pos can jump from < LBITS to > LBITS.

This was resulting in some bit-stream truncation errors not being
caught.

Note: Not a security bug though, as br->pos wasn't incremented in such
cases
and so we weren't reading beyond the buffer.

Change-Id: Idadcdcbc6a5713f8fac3470f907fa37a63074836
---
 src/utils/bit_reader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/utils/bit_reader.c b/src/utils/bit_reader.c
index ab7a8273..677fa01b 100644
--- a/src/utils/bit_reader.c
+++ b/src/utils/bit_reader.c
@@ -179,7 +179,7 @@ void VP8LFillBitWindow(VP8LBitReader* const br) {
     }
 #endif
     ShiftBytes(br);       // Slow path.
-    if (br->pos_ == br->len_ && br->bit_pos_ == LBITS) {
+    if (br->pos_ == br->len_ && br->bit_pos_ >= LBITS) {
       br->eos_ = 1;
     }
   }