Module: libav Branch: release/11 Commit: f2c087a6a9e8fec44e2810cd3922a67a7d65ed03
Author: Anton Khirnov <[email protected]> Committer: Diego Biurrun <[email protected]> Date: Wed Dec 28 13:02:02 2016 +0100 h264_cavlc: check the value of run_before Section 9.2.3.2 of the spec implies that run_before must not be larger than zeros_left. Fixes invalid reads with corrupted files. CC: [email protected] Bug-Id: 1000 Found-By: Kamil Frankowicz (cherry picked from commit 522d850e68ec4b77d3477b3c8f55b1ba00a9d69a) Signed-off-by: Diego Biurrun <[email protected]> --- libavcodec/h264_cavlc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 0ab0355..5553f06 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -581,8 +581,10 @@ static int decode_residual(H264Context *h, GetBitContext *gb, int16_t *block, in for(i=1;i<total_coeff && zeros_left > 0;i++) { \ if(zeros_left < 7) \ run_before= get_vlc2(gb, run_vlc[zeros_left - 1].table, RUN_VLC_BITS, 1); \ - else \ + else {\ run_before= get_vlc2(gb, run7_vlc.table, RUN7_VLC_BITS, 2); \ + run_before = FFMIN(zeros_left, run_before);\ + }\ zeros_left -= run_before; \ scantable -= 1 + run_before; \ ((type*)block)[*scantable]= level[i]; \ @@ -596,8 +598,10 @@ static int decode_residual(H264Context *h, GetBitContext *gb, int16_t *block, in for(i=1;i<total_coeff && zeros_left > 0;i++) { \ if(zeros_left < 7) \ run_before= get_vlc2(gb, run_vlc[zeros_left - 1].table, RUN_VLC_BITS, 1); \ - else \ + else {\ run_before= get_vlc2(gb, run7_vlc.table, RUN7_VLC_BITS, 2); \ + run_before = FFMIN(zeros_left, run_before);\ + }\ zeros_left -= run_before; \ scantable -= 1 + run_before; \ ((type*)block)[*scantable]= ((int)(level[i] * qmul[*scantable] + 32))>>6; \ _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
