fix 960932 by add boundary checks on run_before
This commit is contained in:
Licai Guo
parent
7d6035d5d4
commit
a2164c22af
@ -116,8 +116,9 @@ ERR_INFO_INVALID_REF_INDEX,
|
|||||||
ERR_INFO_INVALID_CBP,
|
ERR_INFO_INVALID_CBP,
|
||||||
ERR_INFO_DQUANT_OUT_OF_RANGE,
|
ERR_INFO_DQUANT_OUT_OF_RANGE,
|
||||||
ERR_INFO_CAVLC_INVALID_PREFIX,
|
ERR_INFO_CAVLC_INVALID_PREFIX,
|
||||||
ERR_INFO_CAVLC_INVALID_TOTAL_COEFF,
|
ERR_INFO_CAVLC_INVALID_TOTAL_COEFF_OR_TRAILING_ONES,
|
||||||
ERR_INFO_CAVLC_INVALID_ZERO_LEFT,
|
ERR_INFO_CAVLC_INVALID_ZERO_LEFT,
|
||||||
|
ERR_INFO_CAVLC_INVALID_RUN_BEFORE,
|
||||||
ERR_INFO_MV_OUT_OF_RANGE,
|
ERR_INFO_MV_OUT_OF_RANGE,
|
||||||
|
|
||||||
ERR_INFO_INVALID_I4x4_PRED_MODE,
|
ERR_INFO_INVALID_I4x4_PRED_MODE,
|
||||||
|
|||||||
@ -586,8 +586,6 @@ static int32_t CavlcGetLevelVal (int32_t iLevel[16], SReadBitsCache* pBitsCache,
|
|||||||
|
|
||||||
if (iSuffixLengthSize > 0) {
|
if (iSuffixLengthSize > 0) {
|
||||||
if (pBitsCache->uiRemainBits <= iSuffixLengthSize) SHIFT_BUFFER (pBitsCache);
|
if (pBitsCache->uiRemainBits <= iSuffixLengthSize) SHIFT_BUFFER (pBitsCache);
|
||||||
if (pBitsCache->uiRemainBits <= iSuffixLengthSize)
|
|
||||||
return 0;
|
|
||||||
iLevelCode += (pBitsCache->uiCache32Bit >> (32 - iSuffixLengthSize));
|
iLevelCode += (pBitsCache->uiCache32Bit >> (32 - iSuffixLengthSize));
|
||||||
POP_BUFFER (pBitsCache, iSuffixLengthSize);
|
POP_BUFFER (pBitsCache, iSuffixLengthSize);
|
||||||
iUsedBits += iSuffixLengthSize;
|
iUsedBits += iSuffixLengthSize;
|
||||||
@ -628,8 +626,6 @@ static int32_t CavlcGetTotalZeros (int32_t& iZerosLeft, SReadBitsCache* pBitsCac
|
|||||||
iCount = kpBitNumMap[iTotalZeroVlcIdx - 1];
|
iCount = kpBitNumMap[iTotalZeroVlcIdx - 1];
|
||||||
if (pBitsCache->uiRemainBits < iCount) SHIFT_BUFFER (
|
if (pBitsCache->uiRemainBits < iCount) SHIFT_BUFFER (
|
||||||
pBitsCache); // if uiRemainBits+16 still smaller than iCount?? potential bug
|
pBitsCache); // if uiRemainBits+16 still smaller than iCount?? potential bug
|
||||||
if (pBitsCache->uiRemainBits < iCount)
|
|
||||||
return 0;
|
|
||||||
uiValue = pBitsCache->uiCache32Bit >> (32 - iCount);
|
uiValue = pBitsCache->uiCache32Bit >> (32 - iCount);
|
||||||
iCount = pVlcTable->kpTotalZerosTable[uiTableType][iTotalZeroVlcIdx - 1][uiValue][1];
|
iCount = pVlcTable->kpTotalZerosTable[uiTableType][iTotalZeroVlcIdx - 1][uiValue][1];
|
||||||
POP_BUFFER (pBitsCache, iCount);
|
POP_BUFFER (pBitsCache, iCount);
|
||||||
@ -647,8 +643,6 @@ static int32_t CavlcGetRunBefore (int32_t iRun[16], SReadBitsCache* pBitsCache,
|
|||||||
if (iZerosLeft > 0) {
|
if (iZerosLeft > 0) {
|
||||||
uiCount = g_kuiZeroLeftBitNumMap[iZerosLeft];
|
uiCount = g_kuiZeroLeftBitNumMap[iZerosLeft];
|
||||||
if (pBitsCache->uiRemainBits < uiCount) SHIFT_BUFFER (pBitsCache);
|
if (pBitsCache->uiRemainBits < uiCount) SHIFT_BUFFER (pBitsCache);
|
||||||
if (pBitsCache->uiRemainBits < uiCount)
|
|
||||||
return 0;
|
|
||||||
uiValue = pBitsCache->uiCache32Bit >> (32 - uiCount);
|
uiValue = pBitsCache->uiCache32Bit >> (32 - uiCount);
|
||||||
if (iZerosLeft < 7) {
|
if (iZerosLeft < 7) {
|
||||||
uiCount = pVlcTable->kpZeroTable[iZerosLeft - 1][uiValue][1];
|
uiCount = pVlcTable->kpZeroTable[iZerosLeft - 1][uiValue][1];
|
||||||
@ -669,6 +663,8 @@ static int32_t CavlcGetRunBefore (int32_t iRun[16], SReadBitsCache* pBitsCache,
|
|||||||
iPrefixBits = GetPrefixBits (pBitsCache->uiCache32Bit);
|
iPrefixBits = GetPrefixBits (pBitsCache->uiCache32Bit);
|
||||||
#endif
|
#endif
|
||||||
iRun[i] = iPrefixBits + 6;
|
iRun[i] = iPrefixBits + 6;
|
||||||
|
if (iRun[i] > iZerosLeft)
|
||||||
|
return -1;
|
||||||
POP_BUFFER (pBitsCache, iPrefixBits);
|
POP_BUFFER (pBitsCache, iPrefixBits);
|
||||||
iUsedBits += iPrefixBits;
|
iUsedBits += iPrefixBits;
|
||||||
}
|
}
|
||||||
@ -740,7 +736,7 @@ int32_t WelsResidualBlockCavlc (SVlcTable* pVlcTable, uint8_t* pNonZeroCountCach
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
if (uiTrailingOnes > 3 || uiTotalCoeff > 16) { /////////////////check uiTrailingOnes and uiTotalCoeff
|
if (uiTrailingOnes > 3 || uiTotalCoeff > 16) { /////////////////check uiTrailingOnes and uiTotalCoeff
|
||||||
return -1;
|
return ERR_INFO_CAVLC_INVALID_TOTAL_COEFF_OR_TRAILING_ONES;
|
||||||
}
|
}
|
||||||
iUsedBits += CavlcGetLevelVal (iLevel, &sReadBitsCache, uiTotalCoeff, uiTrailingOnes);
|
iUsedBits += CavlcGetLevelVal (iLevel, &sReadBitsCache, uiTotalCoeff, uiTrailingOnes);
|
||||||
|
|
||||||
@ -753,8 +749,10 @@ int32_t WelsResidualBlockCavlc (SVlcTable* pVlcTable, uint8_t* pNonZeroCountCach
|
|||||||
if (iZerosLeft < 0) {
|
if (iZerosLeft < 0) {
|
||||||
return ERR_INFO_CAVLC_INVALID_ZERO_LEFT;
|
return ERR_INFO_CAVLC_INVALID_ZERO_LEFT;
|
||||||
}
|
}
|
||||||
iUsedBits += CavlcGetRunBefore (iRun, &sReadBitsCache, uiTotalCoeff, pVlcTable, iZerosLeft);
|
if ((i = CavlcGetRunBefore (iRun, &sReadBitsCache, uiTotalCoeff, pVlcTable, iZerosLeft)) == -1) {
|
||||||
|
return ERR_INFO_CAVLC_INVALID_RUN_BEFORE;
|
||||||
|
}
|
||||||
|
iUsedBits += i;
|
||||||
pBs->iIndex += iUsedBits;
|
pBs->iIndex += iUsedBits;
|
||||||
iCoeffNum = -1;
|
iCoeffNum = -1;
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user