diff options
| author | Mans Rullgard <mans@mansr.com> | 2011-08-10 18:52:11 +0100 |
|---|---|---|
| committer | Mans Rullgard <mans@mansr.com> | 2011-08-10 22:35:20 +0100 |
| commit | 4a71da0f3ab7f5542decd11c81994f849d5b2c78 (patch) | |
| tree | 9ea4c1606c11806ce123ef41057df3e0f5608dba | |
| parent | 069083a419fc1a267ee997817c4e368fa67ca154 (diff) | |
| download | ffmpeg-4a71da0f3ab7f5542decd11c81994f849d5b2c78.tar.gz | |
cavs: fix some crashes with invalid bitstreams
This removes all valgrind-reported invalid writes with one
specific test file.
Fixes http://www.ocert.org/advisories/ocert-2011-002.html
Signed-off-by: Mans Rullgard <mans@mansr.com>
| -rw-r--r-- | libavcodec/cavsdec.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index d5a21bf2de..88034068ff 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -130,12 +130,14 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb, r++; mask = -(level_code & 1); level = (level^mask) - mask; - } else { + } else if (level_code >= 0) { level = r->rltab[level_code][0]; if(!level) //end of block signal break; run = r->rltab[level_code][1]; r += r->rltab[level_code][2]; + } else { + break; } level_buf[i] = level; run_buf[i] = run; @@ -189,7 +191,8 @@ static inline int decode_residual_inter(AVSContext *h) { static int decode_mb_i(AVSContext *h, int cbp_code) { GetBitContext *gb = &h->s.gb; - int block, pred_mode_uv; + unsigned pred_mode_uv; + int block; uint8_t top[18]; uint8_t *left = NULL; uint8_t *d; @@ -445,6 +448,8 @@ static inline int check_for_slice(AVSContext *h) { if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) { skip_bits_long(gb,24+align); h->stc = get_bits(gb,8); + if (h->stc >= h->mb_height) + return 0; decode_slice_header(h,gb); return 1; } @@ -659,7 +664,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size, buf_end = buf + buf_size; for(;;) { buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc); - if(stc & 0xFFFFFE00) + if((stc & 0xFFFFFE00) || buf_ptr == buf_end) return FFMAX(0, buf_ptr - buf - s->parse_context.last_index); input_size = (buf_end - buf_ptr)*8; switch(stc) { |