fix for issue #275: don't compare to out-of-bound pointers

the original change triggered several internal API modifs. This is to ensure that we're never computing pointer that can possibly wrap around, or differences between pointers that can overflow. no observed speed difference Change-Id: I9c94dda38d94fecc010305e4ad12f13b8fda5380
2025-07-13 14:34:33 +02:00 · 2015-11-20 09:12:48 +00:00
parent 21735e06f7
commit b37b0179c5
5 changed files with 40 additions and 21 deletions
--- a/src/utils/bit_reader.c
+++ b/src/utils/bit_reader.c
@ -20,17 +20,26 @@
 //------------------------------------------------------------------------------
 // VP8BitReader

+void VP8BitReaderSetBuffer(VP8BitReader* const br,
+                           const uint8_t* const start,
+                           size_t size) {
+  br->buf_     = start;
+  br->buf_end_ = start + size;
+  br->buf_max_ =
+      (size >= sizeof(lbit_t)) ? start + size - sizeof(lbit_t) + 1
+                               : start;
+}
+
 void VP8InitBitReader(VP8BitReader* const br,
-                      const uint8_t* const start, const uint8_t* const end) {
+                      const uint8_t* const start, size_t size) {
  assert(br != NULL);
  assert(start != NULL);
-  assert(start <= end);
+  assert(size < (1u << 31));   // limit ensured by format and upstream checks
  br->range_   = 255 - 1;
-  br->buf_     = start;
-  br->buf_end_ = end;
  br->value_   = 0;
  br->bits_    = -8;   // to load the very first 8bits
  br->eof_     = 0;
+  VP8BitReaderSetBuffer(br, start, size);
  VP8LoadNewBytes(br);
 }

@ -38,6 +47,7 @@ void VP8RemapBitReader(VP8BitReader* const br, ptrdiff_t offset) {
  if (br->buf_ != NULL) {
    br->buf_ += offset;
    br->buf_end_ += offset;
+    br->buf_max_ += offset;
  }
 }

--- a/src/utils/bit_reader.h
+++ b/src/utils/bit_reader.h
@ -74,12 +74,16 @@ struct VP8BitReader {
  // read buffer
  const uint8_t* buf_;        // next byte to be read
  const uint8_t* buf_end_;    // end of read buffer
+  const uint8_t* buf_max_;    // max packed-read position on buffer
  int eof_;                   // true if input is exhausted
 };

 // Initialize the bit reader and the boolean decoder.
 void VP8InitBitReader(VP8BitReader* const br,
-                      const uint8_t* const start, const uint8_t* const end);
+                      const uint8_t* const start, size_t size);
+// Sets the working read buffer.
+void VP8BitReaderSetBuffer(VP8BitReader* const br,
+                           const uint8_t* const start, size_t size);

 // Update internal pointers to displace the byte buffer by the
 // relative offset 'offset'.
--- a/src/utils/bit_reader_inl.h
+++ b/src/utils/bit_reader_inl.h
@ -58,7 +58,7 @@ void VP8LoadFinalBytes(VP8BitReader* const br);
 static WEBP_INLINE void VP8LoadNewBytes(VP8BitReader* const br) {
  assert(br != NULL && br->buf_ != NULL);
  // Read 'BITS' bits at a time if possible.
-  if (br->buf_ + sizeof(lbit_t) <= br->buf_end_) {
+  if (br->buf_ < br->buf_max_) {
    // convert memory type to register type (with some zero'ing!)
    bit_t bits;
 #if defined(WEBP_FORCE_ALIGNED)