Skip to content

F
ffmpeg.wasm-core
Commit a9401981 authored by Ronald S. Bultje's avatar Ronald S. Bultje
Browse files
Options

cabac: add overread protection to BRANCHLESS_GET_CABAC(). 

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
parent 448dc425
Show whitespace changes
Inline Side-by-side
Showing with 22 additions and 11 deletions
libavcodec/x86/cabac.h
View file @ a9401981
...@@ -51,7 +51,7 @@ ...@@ -51,7 +51,7 @@
"xor "tmp" , "ret" \n\t" "xor "tmp" , "ret" \n\t"
#endif /* HAVE_FAST_CMOV */ #endif /* HAVE_FAST_CMOV */
#define BRANCHLESS_GET_CABAC(ret, statep, low, lowword, range, tmp, tmpbyte, byte) \ #define BRANCHLESS_GET_CABAC(ret, statep, low, lowword, range, tmp, tmpbyte, byte, end) \
"movzbl "statep" , "ret" \n\t"\ "movzbl "statep" , "ret" \n\t"\
"mov "range" , "tmp" \n\t"\ "mov "range" , "tmp" \n\t"\
"and $0xC0 , "range" \n\t"\ "and $0xC0 , "range" \n\t"\
...@@ -64,9 +64,12 @@ ...@@ -64,9 +64,12 @@
"shl %%cl , "low" \n\t"\ "shl %%cl , "low" \n\t"\
"mov "tmpbyte" , "statep" \n\t"\ "mov "tmpbyte" , "statep" \n\t"\
"test "lowword" , "lowword" \n\t"\ "test "lowword" , "lowword" \n\t"\
" jnz 1f \n\t"\ " jnz 2f \n\t"\
"mov "byte" , %%"REG_c" \n\t"\ "mov "byte" , %%"REG_c" \n\t"\
"cmp "end" , %%"REG_c" \n\t"\
"jge 1f \n\t"\
"add"OPSIZE" $2 , "byte" \n\t"\ "add"OPSIZE" $2 , "byte" \n\t"\
"1: \n\t"\
"movzwl (%%"REG_c") , "tmp" \n\t"\ "movzwl (%%"REG_c") , "tmp" \n\t"\
"lea -1("low") , %%ecx \n\t"\ "lea -1("low") , %%ecx \n\t"\
"xor "low" , %%ecx \n\t"\ "xor "low" , %%ecx \n\t"\
...@@ -79,7 +82,7 @@ ...@@ -79,7 +82,7 @@
"add $7 , %%ecx \n\t"\ "add $7 , %%ecx \n\t"\
"shl %%cl , "tmp" \n\t"\ "shl %%cl , "tmp" \n\t"\
"add "tmp" , "low" \n\t"\ "add "tmp" , "low" \n\t"\
"1: \n\t" "2: \n\t"
#if HAVE_7REGS && !defined(BROKEN_RELOCATIONS) #if HAVE_7REGS && !defined(BROKEN_RELOCATIONS)
#define get_cabac_inline get_cabac_inline_x86 #define get_cabac_inline get_cabac_inline_x86
...@@ -90,10 +93,12 @@ static av_always_inline int get_cabac_inline_x86(CABACContext *c, ...@@ -90,10 +93,12 @@ static av_always_inline int get_cabac_inline_x86(CABACContext *c,
__asm__ volatile( __asm__ volatile(
BRANCHLESS_GET_CABAC("%0", "(%4)", "%1", "%w1", BRANCHLESS_GET_CABAC("%0", "(%4)", "%1", "%w1",
"%2", "%3", "%b3", "%a6(%5)") "%2", "%3", "%b3",
"%a6(%5)", "%a7(%5)")
: "=&r"(bit), "+&r"(c->low), "+&r"(c->range), "=&q"(tmp) : "=&r"(bit), "+&r"(c->low), "+&r"(c->range), "=&q"(tmp)
: "r"(state), "r"(c), : "r"(state), "r"(c),
"i"(offsetof(CABACContext, bytestream)) "i"(offsetof(CABACContext, bytestream)),
"i"(offsetof(CABACContext, bytestream_end))
: "%"REG_c, "memory" : "%"REG_c, "memory"
); );
return bit & 1; return bit & 1;
......
libavcodec/x86/h264_i386.h
View file @ a9401981
...@@ -49,14 +49,16 @@ static int decode_significance_x86(CABACContext *c, int max_coeff, ...@@ -49,14 +49,16 @@ static int decode_significance_x86(CABACContext *c, int max_coeff,
"3: \n\t" "3: \n\t"
BRANCHLESS_GET_CABAC("%4", "(%1)", "%3", "%w3", BRANCHLESS_GET_CABAC("%4", "(%1)", "%3", "%w3",
"%5", "%k0", "%b0", "%a11(%6)") "%5", "%k0", "%b0",
"%a11(%6)", "%a12(%6)")
"test $1, %4 \n\t" "test $1, %4 \n\t"
" jz 4f \n\t" " jz 4f \n\t"
"add %10, %1 \n\t" "add %10, %1 \n\t"
BRANCHLESS_GET_CABAC("%4", "(%1)", "%3", "%w3", BRANCHLESS_GET_CABAC("%4", "(%1)", "%3", "%w3",
"%5", "%k0", "%b0", "%a11(%6)") "%5", "%k0", "%b0",
"%a11(%6)", "%a12(%6)")
"sub %10, %1 \n\t" "sub %10, %1 \n\t"
"mov %2, %0 \n\t" "mov %2, %0 \n\t"
...@@ -83,7 +85,8 @@ static int decode_significance_x86(CABACContext *c, int max_coeff, ...@@ -83,7 +85,8 @@ static int decode_significance_x86(CABACContext *c, int max_coeff,
: "=&q"(coeff_count), "+r"(significant_coeff_ctx_base), "+m"(index), : "=&q"(coeff_count), "+r"(significant_coeff_ctx_base), "+m"(index),
"+&r"(c->low), "=&r"(bit), "+&r"(c->range) "+&r"(c->low), "=&r"(bit), "+&r"(c->range)
: "r"(c), "m"(minusstart), "m"(end), "m"(minusindex), "m"(last_off), : "r"(c), "m"(minusstart), "m"(end), "m"(minusindex), "m"(last_off),
"i"(offsetof(CABACContext, bytestream)) "i"(offsetof(CABACContext, bytestream)),
"i"(offsetof(CABACContext, bytestream_end))
: "%"REG_c, "memory" : "%"REG_c, "memory"
); );
return coeff_count; return coeff_count;
...@@ -106,7 +109,8 @@ static int decode_significance_8x8_x86(CABACContext *c, ...@@ -106,7 +109,8 @@ static int decode_significance_8x8_x86(CABACContext *c,
"add %9, %6 \n\t" "add %9, %6 \n\t"
BRANCHLESS_GET_CABAC("%4", "(%6)", "%3", "%w3", BRANCHLESS_GET_CABAC("%4", "(%6)", "%3", "%w3",
"%5", "%k0", "%b0", "%a12(%7)") "%5", "%k0", "%b0",
"%a12(%7)", "%a13(%7)")
"mov %1, %k6 \n\t" "mov %1, %k6 \n\t"
"test $1, %4 \n\t" "test $1, %4 \n\t"
...@@ -116,7 +120,8 @@ static int decode_significance_8x8_x86(CABACContext *c, ...@@ -116,7 +120,8 @@ static int decode_significance_8x8_x86(CABACContext *c,
"add %11, %6 \n\t" "add %11, %6 \n\t"
BRANCHLESS_GET_CABAC("%4", "(%6)", "%3", "%w3", BRANCHLESS_GET_CABAC("%4", "(%6)", "%3", "%w3",
"%5", "%k0", "%b0", "%a12(%7)") "%5", "%k0", "%b0",
"%a12(%7)", "%a13(%7)")
"mov %2, %0 \n\t" "mov %2, %0 \n\t"
"mov %1, %k6 \n\t" "mov %1, %k6 \n\t"
...@@ -141,7 +146,8 @@ static int decode_significance_8x8_x86(CABACContext *c, ...@@ -141,7 +146,8 @@ static int decode_significance_8x8_x86(CABACContext *c,
"=&r"(bit), "+&r"(c->range), "=&r"(state) "=&r"(bit), "+&r"(c->range), "=&r"(state)
: "r"(c), "m"(minusindex), "m"(significant_coeff_ctx_base), : "r"(c), "m"(minusindex), "m"(significant_coeff_ctx_base),
"m"(sig_off), "m"(last_coeff_ctx_base), "m"(sig_off), "m"(last_coeff_ctx_base),
"i"(offsetof(CABACContext, bytestream)) "i"(offsetof(CABACContext, bytestream)),
"i"(offsetof(CABACContext, bytestream_end))
: "%"REG_c, "memory" : "%"REG_c, "memory"
); );
return coeff_count; return coeff_count;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment