generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

cavs: fix some crashes with invalid bitstreams

Browse Source 
This removes all valgrind-reported invalid writes with one
specific test file.

Fixes http://www.ocert.org/advisories/ocert-2011-002.html

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 4a71da0f3ab7f5542decd11c81994f849d5b2c78)

Fixes CVE-2011-3362, CVE-2011-3973, CVE-2011-3974

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Mans Rullgard 2011-08-10 18:52:11 +01:00 committed by Reinhard Tartler
parent 9f95d7aab3
commit 7a6bba627d
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
libavcodec/cavsdec.c
View File

@ -130,12 +130,14 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb,
r++;
mask = -(level_code & 1);
level = (level^mask) - mask;
} else {
} else if (level_code >= 0) {
level = r->rltab[level_code][0];
if(!level) //end of block signal
break;
run = r->rltab[level_code][1];
r += r->rltab[level_code][2];
} else {
break;
}
level_buf[i] = level;
run_buf[i] = run;
@ -189,7 +191,8 @@ static inline int decode_residual_inter(AVSContext *h) {
static int decode_mb_i(AVSContext *h, int cbp_code) {
GetBitContext *gb = &h->s.gb;
int block, pred_mode_uv;
unsigned pred_mode_uv;
int block;
uint8_t top[18];
uint8_t *left = NULL;
uint8_t *d;
@ -445,6 +448,8 @@ static inline int check_for_slice(AVSContext *h) {
if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) {
skip_bits_long(gb,24+align);
h->stc = get_bits(gb,8);
if (h->stc >= h->mb_height)
return 0;
decode_slice_header(h,gb);
return 1;
}
@ -659,7 +664,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size,
buf_end = buf + buf_size;
for(;;) {
buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc);
if(stc & 0xFFFFFE00)
if((stc & 0xFFFFFE00) || buf_ptr == buf_end)
return FFMAX(0, buf_ptr - buf - s->parse_context.last_index);
input_size = (buf_end - buf_ptr)*8;
switch(stc) {