From 9594370e0cdc6a35ee3254994fb05204e99449b5 Mon Sep 17 00:00:00 2001
From: John Koleszar <jkoleszar@google.com>
Date: Tue, 26 Apr 2011 12:36:03 -0400
Subject: [PATCH] Update VP8DX_BOOL_DECODER_FILL to better detect EOS

Allow more reliable detection of truncated bitstreams by being more
precise with the count of "virtual" bits in the value buffer.
Specifically, the VP8_LOTS_OF_BITS value is accumulated into count,
rather than being assigned, which was losing the prior value,
increasing the required tolerance when testing for the error condition.

Change-Id: Ib5172eaa57323b939c439fff8a8ab5fa38da9b69
---
 vp8/decoder/dboolhuff.h | 27 ++++++++++++++-------------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/vp8/decoder/dboolhuff.h b/vp8/decoder/dboolhuff.h
index a83e3f0..b217b14 100644
--- a/vp8/decoder/dboolhuff.h
+++ b/vp8/decoder/dboolhuff.h
@@ -55,7 +55,7 @@ void vp8dx_bool_decoder_fill(BOOL_DECODER *br);
         for(shift = VP8_BD_VALUE_SIZE - 8 - ((_count) + 8); shift >= 0; ) \
         { \
             if((_bufptr) >= (_bufend)) { \
-                (_count) = VP8_LOTS_OF_BITS; \
+                (_count) += VP8_LOTS_OF_BITS; \
                 break; \
             } \
             (_count) += 8; \
@@ -119,18 +119,19 @@ static int vp8_decode_value(BOOL_DECODER *br, int bits)
 
 static int vp8dx_bool_error(BOOL_DECODER *br)
 {
-  /* Check if we have reached the end of the buffer.
-   *
-   * Variable 'count' stores the number of bits in the 'value' buffer,
-   * minus 8. So if count == 8, there are 16 bits available to be read.
-   * Normally, count is filled with 8 and one byte is filled into the
-   * value buffer. When we reach the end of the buffer, count is instead
-   * filled with VP8_LOTS_OF_BITS, 8 of which represent the last 8 real
-   * bits from the bitstream. So the last bit in the bitstream will be
-   * represented by count == VP8_LOTS_OF_BITS - 16.
-   */
-    if ((br->count > VP8_BD_VALUE_SIZE)
-        && (br->count <= VP8_LOTS_OF_BITS - 16))
+    /* Check if we have reached the end of the buffer.
+     *
+     * Variable 'count' stores the number of bits in the 'value' buffer, minus
+     * 8. The top byte is part of the algorithm, and the remainder is buffered
+     * to be shifted into it. So if count == 8, the top 16 bits of 'value' are
+     * occupied, 8 for the algorithm and 8 in the buffer.
+     *
+     * When reading a byte from the user's buffer, count is filled with 8 and
+     * one byte is filled into the value buffer. When we reach the end of the
+     * data, count is additionally filled with VP8_LOTS_OF_BITS. So when
+     * count == VP8_LOTS_OF_BITS - 1, the user's data has been exhausted.
+     */
+    if ((br->count > VP8_BD_VALUE_SIZE) && (br->count < VP8_LOTS_OF_BITS))
     {
        /* We have tried to decode bits after the end of
         * stream was encountered.
-- 
2.7.4