diff options
| author | James Zern <jzern@google.com> | 2015-06-29 23:03:14 -0700 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2015-08-20 14:38:26 +0200 |
| commit | c6e16ec711c2644d236aa06e677e8efacd2cf33c (patch) | |
| tree | d2c2d44cd84f354cfe9924a1aaced4d9544823fb | |
| parent | 3dfadef52216a858ca75a28cc6dfa9620a203c4d (diff) | |
| download | ffmpeg-c6e16ec711c2644d236aa06e677e8efacd2cf33c.tar.gz | |
vp9/update_prob: prevent out of bounds table read
the max value of the lookup in expanded form is:
(((1 << 7) - 1) << 1) - 65 + 1 + 64 = 254
add one entry of padding to inv_map_table[] to prevent out of bounds
access with non-conforming / fuzzed bitstreams
Signed-off-by: James Zern <jzern@google.com>
Reviewed-by: "Ronald S. Bultje" <rsbultje@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e91f860ea74e11e9178500fe8794c47f57dbf48c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/vp9.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 3be17c000f..8327134d37 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -409,7 +409,7 @@ static av_always_inline int inv_recenter_nonneg(int v, int m) // differential forward probability updates static int update_prob(VP56RangeCoder *c, int p) { - static const int inv_map_table[254] = { + static const int inv_map_table[255] = { 7, 20, 33, 46, 59, 72, 85, 98, 111, 124, 137, 150, 163, 176, 189, 202, 215, 228, 241, 254, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 21, 22, 23, 24, @@ -428,7 +428,7 @@ static int update_prob(VP56RangeCoder *c, int p) 207, 208, 209, 210, 211, 212, 213, 214, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, - 252, 253, + 252, 253, 253, }; int d; @@ -458,6 +458,7 @@ static int update_prob(VP56RangeCoder *c, int p) if (d >= 65) d = (d << 1) - 65 + vp8_rac_get(c); d += 64; + av_assert2(d < FF_ARRAY_ELEMS(inv_map_table)); } return p <= 128 ? 1 + inv_recenter_nonneg(inv_map_table[d], p - 1) : |