[FFmpeg-cvslog] avcodec/cabac: Check initial cabac decoder state
ffmpeg | branch: release/2.6 | Michael Niedermayer| Fri Nov 27 13:37:50 2015 +0100| [1f6aea2cc4e379346d0b5b67e9ce775e12b39def] | committer: Michael Niedermayer avcodec/cabac: Check initial cabac decoder state Fixes integer overflows Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer (cherry picked from commit 8000d484b83aafa752d84fbdbfb352ffe0dc64f8) Conflicts: libavcodec/cabac.h Conflicts: libavcodec/h264_cabac.c libavcodec/h264_slice.c > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1f6aea2cc4e379346d0b5b67e9ce775e12b39def --- libavcodec/cabac.c |5 - libavcodec/cabac.h |2 +- libavcodec/cabac_functions.h |3 ++- libavcodec/h264_cabac.c |5 - libavcodec/h264_slice.c |5 - 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index 81a75dd..48f70ca 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -51,7 +51,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size){ * * @param buf_size size of buf in bits */ -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ c->bytestream_start= c->bytestream= buf; c->bytestream_end= buf + buf_size; @@ -64,6 +64,9 @@ void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ #endif c->low+= ((*c->bytestream++)<<2) + 2; c->range= 0x1FE; +if ((c->range<<(CABAC_BITS+1)) < c->low) +return AVERROR_INVALIDDATA; +return 0; } void ff_init_cabac_states(void) diff --git a/libavcodec/cabac.h b/libavcodec/cabac.h index f9eafed..857211c 100644 --- a/libavcodec/cabac.h +++ b/libavcodec/cabac.h @@ -56,7 +56,7 @@ typedef struct CABACContext{ }CABACContext; void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size); -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); void ff_init_cabac_states(void); #endif /* AVCODEC_CABAC_H */ diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 4e13253..2d1d2a6 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -191,7 +191,8 @@ static av_unused const uint8_t* skip_bytes(CABACContext *c, int n) { #endif if ((int) (c->bytestream_end - ptr) < n) return NULL; -ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n); +if (ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n) < 0) +return NULL; return ptr; } diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 41e0f86..397b070 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2000,6 +2000,7 @@ decode_intra_mb: const int mb_size = ff_h264_mb_sizes[h->sps.chroma_format_idc] * h->sps.bit_depth_luma >> 3; const uint8_t *ptr; +int ret; // We assume these blocks are very rare so we do not optimize it. // FIXME The two following lines get the bitstream position in the cabac @@ -2016,7 +2017,9 @@ decode_intra_mb: h->intra_pcm_ptr = ptr; ptr += mb_size; -ff_init_cabac_decoder(>cabac, ptr, h->cabac.bytestream_end - ptr); +ret = ff_init_cabac_decoder(>cabac, ptr, h->cabac.bytestream_end - ptr); +if (ret < 0) +return ret; // All blocks are present h->cbp_table[mb_xy] = 0xf7ef; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 3501be3..b0b4060 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -2422,13 +2422,16 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) } if (h->pps.cabac) { +int ret; /* realign */ align_get_bits(>gb); /* init cabac */ -ff_init_cabac_decoder(>cabac, +ret = ff_init_cabac_decoder(>cabac, h->gb.buffer + get_bits_count(>gb) / 8, (get_bits_left(>gb) + 7) / 8); +if (ret < 0) +return ret; ff_h264_init_cabac_states(h); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cabac: Check initial cabac decoder state
ffmpeg | branch: release/2.7 | Michael Niedermayer| Fri Nov 27 13:37:50 2015 +0100| [ed3d4336769425912b925dc46c8d647fbfb4a400] | committer: Michael Niedermayer avcodec/cabac: Check initial cabac decoder state Fixes integer overflows Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer (cherry picked from commit 8000d484b83aafa752d84fbdbfb352ffe0dc64f8) Conflicts: libavcodec/cabac.h > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ed3d4336769425912b925dc46c8d647fbfb4a400 --- libavcodec/cabac.c |5 - libavcodec/cabac.h |2 +- libavcodec/cabac_functions.h |3 ++- libavcodec/h264_cabac.c |5 - libavcodec/h264_slice.c |4 +++- 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index 8cc9333..f298336 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -51,7 +51,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size){ * * @param buf_size size of buf in bits */ -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ c->bytestream_start= c->bytestream= buf; c->bytestream_end= buf + buf_size; @@ -64,6 +64,9 @@ void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ #endif c->low+= ((*c->bytestream++)<<2) + 2; c->range= 0x1FE; +if ((c->range<<(CABAC_BITS+1)) < c->low) +return AVERROR_INVALIDDATA; +return 0; } void ff_init_cabac_states(void) diff --git a/libavcodec/cabac.h b/libavcodec/cabac.h index f9eafed..857211c 100644 --- a/libavcodec/cabac.h +++ b/libavcodec/cabac.h @@ -56,7 +56,7 @@ typedef struct CABACContext{ }CABACContext; void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size); -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); void ff_init_cabac_states(void); #endif /* AVCODEC_CABAC_H */ diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 4e13253..2d1d2a6 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -191,7 +191,8 @@ static av_unused const uint8_t* skip_bytes(CABACContext *c, int n) { #endif if ((int) (c->bytestream_end - ptr) < n) return NULL; -ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n); +if (ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n) < 0) +return NULL; return ptr; } diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index c1c8b80..04d412b 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2026,6 +2026,7 @@ decode_intra_mb: const int mb_size = ff_h264_mb_sizes[h->sps.chroma_format_idc] * h->sps.bit_depth_luma >> 3; const uint8_t *ptr; +int ret; // We assume these blocks are very rare so we do not optimize it. // FIXME The two following lines get the bitstream position in the cabac @@ -2042,7 +2043,9 @@ decode_intra_mb: sl->intra_pcm_ptr = ptr; ptr += mb_size; -ff_init_cabac_decoder(>cabac, ptr, sl->cabac.bytestream_end - ptr); +ret = ff_init_cabac_decoder(>cabac, ptr, sl->cabac.bytestream_end - ptr); +if (ret < 0) +return ret; // All blocks are present h->cbp_table[mb_xy] = 0xf7ef; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 9cbe8d2..2f32948 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -2319,9 +2319,11 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) align_get_bits(>gb); /* init cabac */ -ff_init_cabac_decoder(>cabac, +ret = ff_init_cabac_decoder(>cabac, sl->gb.buffer + get_bits_count(>gb) / 8, (get_bits_left(>gb) + 7) / 8); +if (ret < 0) +return ret; ff_h264_init_cabac_states(h, sl); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cabac: Check initial cabac decoder state
ffmpeg | branch: release/2.4 | Michael Niedermayer| Fri Nov 27 13:37:50 2015 +0100| [20de3b007bbdcbcced873aa7a5a38ef61a6d00a0] | committer: Michael Niedermayer avcodec/cabac: Check initial cabac decoder state Fixes integer overflows Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer (cherry picked from commit 8000d484b83aafa752d84fbdbfb352ffe0dc64f8) Conflicts: libavcodec/cabac.h Conflicts: libavcodec/h264_cabac.c libavcodec/h264_slice.c > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=20de3b007bbdcbcced873aa7a5a38ef61a6d00a0 --- libavcodec/cabac.c |5 - libavcodec/cabac.h |2 +- libavcodec/cabac_functions.h |3 ++- libavcodec/h264_cabac.c |5 - libavcodec/h264_slice.c |5 - 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index 81a75dd..48f70ca 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -51,7 +51,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size){ * * @param buf_size size of buf in bits */ -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ c->bytestream_start= c->bytestream= buf; c->bytestream_end= buf + buf_size; @@ -64,6 +64,9 @@ void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ #endif c->low+= ((*c->bytestream++)<<2) + 2; c->range= 0x1FE; +if ((c->range<<(CABAC_BITS+1)) < c->low) +return AVERROR_INVALIDDATA; +return 0; } void ff_init_cabac_states(void) diff --git a/libavcodec/cabac.h b/libavcodec/cabac.h index f9eafed..857211c 100644 --- a/libavcodec/cabac.h +++ b/libavcodec/cabac.h @@ -56,7 +56,7 @@ typedef struct CABACContext{ }CABACContext; void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size); -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); void ff_init_cabac_states(void); #endif /* AVCODEC_CABAC_H */ diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 4e13253..2d1d2a6 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -191,7 +191,8 @@ static av_unused const uint8_t* skip_bytes(CABACContext *c, int n) { #endif if ((int) (c->bytestream_end - ptr) < n) return NULL; -ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n); +if (ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n) < 0) +return NULL; return ptr; } diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 1a004a5..09995d8 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1999,6 +1999,7 @@ decode_intra_mb: const int mb_size = ff_h264_mb_sizes[h->sps.chroma_format_idc] * h->sps.bit_depth_luma >> 3; const uint8_t *ptr; +int ret; // We assume these blocks are very rare so we do not optimize it. // FIXME The two following lines get the bitstream position in the cabac @@ -2015,7 +2016,9 @@ decode_intra_mb: h->intra_pcm_ptr = ptr; ptr += mb_size; -ff_init_cabac_decoder(>cabac, ptr, h->cabac.bytestream_end - ptr); +ret = ff_init_cabac_decoder(>cabac, ptr, h->cabac.bytestream_end - ptr); +if (ret < 0) +return ret; // All blocks are present h->cbp_table[mb_xy] = 0xf7ef; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index f8b1520..0389094 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -2445,13 +2445,16 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) } if (h->pps.cabac) { +int ret; /* realign */ align_get_bits(>gb); /* init cabac */ -ff_init_cabac_decoder(>cabac, +ret = ff_init_cabac_decoder(>cabac, h->gb.buffer + get_bits_count(>gb) / 8, (get_bits_left(>gb) + 7) / 8); +if (ret < 0) +return ret; ff_h264_init_cabac_states(h); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cabac: Check initial cabac decoder state
ffmpeg | branch: release/2.5 | Michael Niedermayer| Fri Nov 27 13:37:50 2015 +0100| [d3de02d9d44256dd2b5c5239bdb2f3830ba8da44] | committer: Michael Niedermayer avcodec/cabac: Check initial cabac decoder state Fixes integer overflows Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer (cherry picked from commit 8000d484b83aafa752d84fbdbfb352ffe0dc64f8) Conflicts: libavcodec/cabac.h Conflicts: libavcodec/h264_cabac.c libavcodec/h264_slice.c > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d3de02d9d44256dd2b5c5239bdb2f3830ba8da44 --- libavcodec/cabac.c |5 - libavcodec/cabac.h |2 +- libavcodec/cabac_functions.h |3 ++- libavcodec/h264_cabac.c |5 - libavcodec/h264_slice.c |5 - 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index 81a75dd..48f70ca 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -51,7 +51,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size){ * * @param buf_size size of buf in bits */ -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ c->bytestream_start= c->bytestream= buf; c->bytestream_end= buf + buf_size; @@ -64,6 +64,9 @@ void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ #endif c->low+= ((*c->bytestream++)<<2) + 2; c->range= 0x1FE; +if ((c->range<<(CABAC_BITS+1)) < c->low) +return AVERROR_INVALIDDATA; +return 0; } void ff_init_cabac_states(void) diff --git a/libavcodec/cabac.h b/libavcodec/cabac.h index f9eafed..857211c 100644 --- a/libavcodec/cabac.h +++ b/libavcodec/cabac.h @@ -56,7 +56,7 @@ typedef struct CABACContext{ }CABACContext; void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size); -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); void ff_init_cabac_states(void); #endif /* AVCODEC_CABAC_H */ diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 4e13253..2d1d2a6 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -191,7 +191,8 @@ static av_unused const uint8_t* skip_bytes(CABACContext *c, int n) { #endif if ((int) (c->bytestream_end - ptr) < n) return NULL; -ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n); +if (ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n) < 0) +return NULL; return ptr; } diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index a411efe..1492d8d 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2000,6 +2000,7 @@ decode_intra_mb: const int mb_size = ff_h264_mb_sizes[h->sps.chroma_format_idc] * h->sps.bit_depth_luma >> 3; const uint8_t *ptr; +int ret; // We assume these blocks are very rare so we do not optimize it. // FIXME The two following lines get the bitstream position in the cabac @@ -2016,7 +2017,9 @@ decode_intra_mb: h->intra_pcm_ptr = ptr; ptr += mb_size; -ff_init_cabac_decoder(>cabac, ptr, h->cabac.bytestream_end - ptr); +ret = ff_init_cabac_decoder(>cabac, ptr, h->cabac.bytestream_end - ptr); +if (ret < 0) +return ret; // All blocks are present h->cbp_table[mb_xy] = 0xf7ef; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 5de2fcd..57a135e 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -2442,13 +2442,16 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) } if (h->pps.cabac) { +int ret; /* realign */ align_get_bits(>gb); /* init cabac */ -ff_init_cabac_decoder(>cabac, +ret = ff_init_cabac_decoder(>cabac, h->gb.buffer + get_bits_count(>gb) / 8, (get_bits_left(>gb) + 7) / 8); +if (ret < 0) +return ret; ff_h264_init_cabac_states(h); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cabac: Check initial cabac decoder state
ffmpeg | branch: master | Michael Niedermayer| Fri Nov 27 13:37:50 2015 +0100| [8000d484b83aafa752d84fbdbfb352ffe0dc64f8] | committer: Michael Niedermayer avcodec/cabac: Check initial cabac decoder state Fixes integer overflows Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8000d484b83aafa752d84fbdbfb352ffe0dc64f8 --- libavcodec/cabac.c |5 - libavcodec/cabac.h |2 +- libavcodec/cabac_functions.h |3 ++- libavcodec/h264_cabac.c |5 - libavcodec/h264_slice.c |4 +++- 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index 598c942..5bf5bc2 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -175,7 +175,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size){ * * @param buf_size size of buf in bits */ -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ c->bytestream_start= c->bytestream= buf; c->bytestream_end= buf + buf_size; @@ -188,6 +188,9 @@ void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ #endif c->low+= ((*c->bytestream++)<<2) + 2; c->range= 0x1FE; +if ((c->range<<(CABAC_BITS+1)) < c->low) +return AVERROR_INVALIDDATA; +return 0; } #ifdef TEST diff --git a/libavcodec/cabac.h b/libavcodec/cabac.h index b15a70b..1bf1c62 100644 --- a/libavcodec/cabac.h +++ b/libavcodec/cabac.h @@ -51,6 +51,6 @@ typedef struct CABACContext{ }CABACContext; void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size); -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); #endif /* AVCODEC_CABAC_H */ diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 4ded8eb..31c919b 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -191,7 +191,8 @@ static av_unused const uint8_t* skip_bytes(CABACContext *c, int n) { #endif if ((int) (c->bytestream_end - ptr) < n) return NULL; -ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n); +if (ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n) < 0) +return NULL; return ptr; } diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index c1c8b80..04d412b 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2026,6 +2026,7 @@ decode_intra_mb: const int mb_size = ff_h264_mb_sizes[h->sps.chroma_format_idc] * h->sps.bit_depth_luma >> 3; const uint8_t *ptr; +int ret; // We assume these blocks are very rare so we do not optimize it. // FIXME The two following lines get the bitstream position in the cabac @@ -2042,7 +2043,9 @@ decode_intra_mb: sl->intra_pcm_ptr = ptr; ptr += mb_size; -ff_init_cabac_decoder(>cabac, ptr, sl->cabac.bytestream_end - ptr); +ret = ff_init_cabac_decoder(>cabac, ptr, sl->cabac.bytestream_end - ptr); +if (ret < 0) +return ret; // All blocks are present h->cbp_table[mb_xy] = 0xf7ef; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index dca5d76..bbadfc9 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -2372,9 +2372,11 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) align_get_bits(>gb); /* init cabac */ -ff_init_cabac_decoder(>cabac, +ret = ff_init_cabac_decoder(>cabac, sl->gb.buffer + get_bits_count(>gb) / 8, (get_bits_left(>gb) + 7) / 8); +if (ret < 0) +return ret; ff_h264_init_cabac_states(h, sl); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cabac: Check initial cabac decoder state
ffmpeg | branch: release/2.8 | Michael Niedermayer| Fri Nov 27 13:37:50 2015 +0100| [4c718691ea32e9ab70ccaa5e90bfebcea4588c42] | committer: Michael Niedermayer avcodec/cabac: Check initial cabac decoder state Fixes integer overflows Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer (cherry picked from commit 8000d484b83aafa752d84fbdbfb352ffe0dc64f8) Conflicts: libavcodec/cabac.h > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4c718691ea32e9ab70ccaa5e90bfebcea4588c42 --- libavcodec/cabac.c |5 - libavcodec/cabac.h |2 +- libavcodec/cabac_functions.h |3 ++- libavcodec/h264_cabac.c |5 - libavcodec/h264_slice.c |4 +++- 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index 8cc9333..f298336 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -51,7 +51,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size){ * * @param buf_size size of buf in bits */ -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ c->bytestream_start= c->bytestream= buf; c->bytestream_end= buf + buf_size; @@ -64,6 +64,9 @@ void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ #endif c->low+= ((*c->bytestream++)<<2) + 2; c->range= 0x1FE; +if ((c->range<<(CABAC_BITS+1)) < c->low) +return AVERROR_INVALIDDATA; +return 0; } void ff_init_cabac_states(void) diff --git a/libavcodec/cabac.h b/libavcodec/cabac.h index f9eafed..857211c 100644 --- a/libavcodec/cabac.h +++ b/libavcodec/cabac.h @@ -56,7 +56,7 @@ typedef struct CABACContext{ }CABACContext; void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size); -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); void ff_init_cabac_states(void); #endif /* AVCODEC_CABAC_H */ diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 4e13253..2d1d2a6 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -191,7 +191,8 @@ static av_unused const uint8_t* skip_bytes(CABACContext *c, int n) { #endif if ((int) (c->bytestream_end - ptr) < n) return NULL; -ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n); +if (ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n) < 0) +return NULL; return ptr; } diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index c1c8b80..04d412b 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2026,6 +2026,7 @@ decode_intra_mb: const int mb_size = ff_h264_mb_sizes[h->sps.chroma_format_idc] * h->sps.bit_depth_luma >> 3; const uint8_t *ptr; +int ret; // We assume these blocks are very rare so we do not optimize it. // FIXME The two following lines get the bitstream position in the cabac @@ -2042,7 +2043,9 @@ decode_intra_mb: sl->intra_pcm_ptr = ptr; ptr += mb_size; -ff_init_cabac_decoder(>cabac, ptr, sl->cabac.bytestream_end - ptr); +ret = ff_init_cabac_decoder(>cabac, ptr, sl->cabac.bytestream_end - ptr); +if (ret < 0) +return ret; // All blocks are present h->cbp_table[mb_xy] = 0xf7ef; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 041acfc..843cfd0 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -2372,9 +2372,11 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) align_get_bits(>gb); /* init cabac */ -ff_init_cabac_decoder(>cabac, +ret = ff_init_cabac_decoder(>cabac, sl->gb.buffer + get_bits_count(>gb) / 8, (get_bits_left(>gb) + 7) / 8); +if (ret < 0) +return ret; ff_h264_init_cabac_states(h, sl); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog