diff options
| author | Janne Grunau <janne-libav@jannau.net> | 2012-11-30 15:00:47 +0100 |
|---|---|---|
| committer | Janne Grunau <janne-libav@jannau.net> | 2012-12-08 12:55:10 +0100 |
| commit | 9a2e79116d6235c53d8e9663a8d30d1950d7431a (patch) | |
| tree | dd8b6b351db8b31ed596f25434ddd052ff29d9e3 /libavcodec/rv30.c | |
| parent | 1c012e6bfb775eeb01355bfed7229c6795b3f3fc (diff) | |
| download | ffmpeg-9a2e79116d6235c53d8e9663a8d30d1950d7431a.tar.gz | |
golomb: use unsigned arithmetics in svq3_get_ue_golomb()
This prevents undefined behaviour of signed left shift if the coded
value is larger than 2^31. Large values are most likely invalid and
caused errors or by feeding random.
Validate every use of svq3_get_ue_golomb() and changed the place there
the return value was compared with negative numbers. dirac.c was clean,
fixed rv30 and svq3.
Diffstat (limited to 'libavcodec/rv30.c')
| -rw-r--r-- | libavcodec/rv30.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c index 8016ad35f7..e4f3251047 100644 --- a/libavcodec/rv30.c +++ b/libavcodec/rv30.c @@ -73,7 +73,7 @@ static int rv30_decode_intra_types(RV34DecContext *r, GetBitContext *gb, int8_t for(i = 0; i < 4; i++, dst += r->intra_types_stride - 4){ for(j = 0; j < 4; j+= 2){ - int code = svq3_get_ue_golomb(gb) << 1; + unsigned code = svq3_get_ue_golomb(gb) << 1; if(code >= 81*2){ av_log(r->s.avctx, AV_LOG_ERROR, "Incorrect intra prediction code\n"); return -1; @@ -101,9 +101,9 @@ static int rv30_decode_mb_info(RV34DecContext *r) static const int rv30_b_types[6] = { RV34_MB_SKIP, RV34_MB_B_DIRECT, RV34_MB_B_FORWARD, RV34_MB_B_BACKWARD, RV34_MB_TYPE_INTRA, RV34_MB_TYPE_INTRA16x16 }; MpegEncContext *s = &r->s; GetBitContext *gb = &s->gb; - int code = svq3_get_ue_golomb(gb); + unsigned code = svq3_get_ue_golomb(gb); - if (code < 0 || code > 11) { + if (code > 11) { av_log(s->avctx, AV_LOG_ERROR, "Incorrect MB type code\n"); return -1; } |