Module: libav
Branch: release/12
Commit: 739f08aee653a745d704d153bd818b7bf33b0274
Author: Anton Khirnov <an...@khirnov.net>
Committer: Sean McGovern <gsean...@gmail.com>
Date: Wed Dec 28 13:02:02 2016 +0100
h264_cavlc: check the value of run_before
Section 9.2.3.2 of the spec implies that run_before must not be larger
than zeros_left.
Fixes invalid reads with corrupted files.
CC: libav-sta...@libav.org
Bug-Id: 1000
Found-By: Kamil Frankowicz
(cherry picked from commit 522d850e68ec4b77d3477b3c8f55b1ba00a9d69a)
Signed-off-by: Sean McGovern <gsean...@gmail.com>
---
libavcodec/h264_cavlc.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index 4fa2de0..22a643b 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -579,8 +579,10 @@ static int decode_residual(const H264Context *h,
H264SliceContext *sl,
for(i=1;i<total_coeff && zeros_left > 0;i++) { \
if(zeros_left < 7) \
run_before= get_vlc2(gb, run_vlc[zeros_left - 1].table,
RUN_VLC_BITS, 1); \
- else \
+ else {\
run_before= get_vlc2(gb, run7_vlc.table, RUN7_VLC_BITS, 2); \
+ run_before = FFMIN(zeros_left, run_before);\
+ }\
zeros_left -= run_before; \
scantable -= 1 + run_before; \
((type*)block)[*scantable]= level[i]; \
@@ -594,8 +596,10 @@ static int decode_residual(const H264Context *h,
H264SliceContext *sl,
for(i=1;i<total_coeff && zeros_left > 0;i++) { \
if(zeros_left < 7) \
run_before= get_vlc2(gb, run_vlc[zeros_left - 1].table,
RUN_VLC_BITS, 1); \
- else \
+ else {\
run_before= get_vlc2(gb, run7_vlc.table, RUN7_VLC_BITS, 2); \
+ run_before = FFMIN(zeros_left, run_before);\
+ }\
zeros_left -= run_before; \
scantable -= 1 + run_before; \
((type*)block)[*scantable]= ((int)(level[i] * qmul[*scantable] +
32))>>6; \
_______________________________________________
libav-commits mailing list
libav-commits@libav.org
https://lists.libav.org/mailman/listinfo/libav-commits
