Commit 522d850e authored by Anton Khirnov's avatar Anton Khirnov

h264_cavlc: check the value of run_before

Section 9.2.3.2 of the spec implies that run_before must not be larger
than zeros_left.

Fixes invalid reads with corrupted files.

CC: libav-stable@libav.org
Bug-Id: 1000
Found-By: Kamil Frankowicz
parent 83b2b34d
...@@ -579,8 +579,10 @@ static int decode_residual(const H264Context *h, H264SliceContext *sl, ...@@ -579,8 +579,10 @@ static int decode_residual(const H264Context *h, H264SliceContext *sl,
for(i=1;i<total_coeff && zeros_left > 0;i++) { \ for(i=1;i<total_coeff && zeros_left > 0;i++) { \
if(zeros_left < 7) \ if(zeros_left < 7) \
run_before= get_vlc2(gb, run_vlc[zeros_left - 1].table, RUN_VLC_BITS, 1); \ run_before= get_vlc2(gb, run_vlc[zeros_left - 1].table, RUN_VLC_BITS, 1); \
else \ else {\
run_before= get_vlc2(gb, run7_vlc.table, RUN7_VLC_BITS, 2); \ run_before= get_vlc2(gb, run7_vlc.table, RUN7_VLC_BITS, 2); \
run_before = FFMIN(zeros_left, run_before);\
}\
zeros_left -= run_before; \ zeros_left -= run_before; \
scantable -= 1 + run_before; \ scantable -= 1 + run_before; \
((type*)block)[*scantable]= level[i]; \ ((type*)block)[*scantable]= level[i]; \
...@@ -594,8 +596,10 @@ static int decode_residual(const H264Context *h, H264SliceContext *sl, ...@@ -594,8 +596,10 @@ static int decode_residual(const H264Context *h, H264SliceContext *sl,
for(i=1;i<total_coeff && zeros_left > 0;i++) { \ for(i=1;i<total_coeff && zeros_left > 0;i++) { \
if(zeros_left < 7) \ if(zeros_left < 7) \
run_before= get_vlc2(gb, run_vlc[zeros_left - 1].table, RUN_VLC_BITS, 1); \ run_before= get_vlc2(gb, run_vlc[zeros_left - 1].table, RUN_VLC_BITS, 1); \
else \ else {\
run_before= get_vlc2(gb, run7_vlc.table, RUN7_VLC_BITS, 2); \ run_before= get_vlc2(gb, run7_vlc.table, RUN7_VLC_BITS, 2); \
run_before = FFMIN(zeros_left, run_before);\
}\
zeros_left -= run_before; \ zeros_left -= run_before; \
scantable -= 1 + run_before; \ scantable -= 1 + run_before; \
((type*)block)[*scantable]= ((int)(level[i] * qmul[*scantable] + 32))>>6; \ ((type*)block)[*scantable]= ((int)(level[i] * qmul[*scantable] + 32))>>6; \
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment