[libav-devel] [PATCH] h264: fix overreads in cabac reader.

Tue, 28 Feb 2012 12:53:22 -0800 

From: "Ronald S. Bultje" <[email protected]>

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: [email protected]
---
 libavcodec/cabac_functions.h |    6 ++++--
 libavcodec/x86/cabac.h       |   12 ++++++++----
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h
index b150aab..4c74cf7 100644
--- a/libavcodec/cabac_functions.h
+++ b/libavcodec/cabac_functions.h
@@ -47,7 +47,8 @@ static void refill(CABACContext *c){
         c->low+= c->bytestream[0]<<1;
 #endif
     c->low -= CABAC_MASK;
-    c->bytestream+= CABAC_BITS/8;
+    if (c->bytestream < c->bytestream_end)
+        c->bytestream += CABAC_BITS / 8;
 }
 
 static inline void renorm_cabac_decoder_once(CABACContext *c){
@@ -74,7 +75,8 @@ static void refill2(CABACContext *c){
 #endif
 
     c->low += x<<i;
-    c->bytestream+= CABAC_BITS/8;
+    if (c->bytestream < c->bytestream_end)
+        c->bytestream += CABAC_BITS/8;
 }
 
 static av_always_inline int get_cabac_inline(CABACContext *c, uint8_t * const 
state){
diff --git a/libavcodec/x86/cabac.h b/libavcodec/x86/cabac.h
index 3c3652d..6ff62ac 100644
--- a/libavcodec/x86/cabac.h
+++ b/libavcodec/x86/cabac.h
@@ -51,7 +51,7 @@
         "xor    "tmp"       , "ret"     \n\t"
 #endif /* HAVE_FAST_CMOV */
 
-#define BRANCHLESS_GET_CABAC(ret, statep, low, lowword, range, tmp, tmpbyte, 
byte) \
+#define BRANCHLESS_GET_CABAC(ret, statep, low, lowword, range, tmp, tmpbyte, 
byte, end) \
         "movzbl "statep"    , "ret"                                     \n\t"\
         "mov    "range"     , "tmp"                                     \n\t"\
         "and    $0xC0       , "range"                                   \n\t"\
@@ -66,6 +66,8 @@
         "test   "lowword"   , "lowword"                                 \n\t"\
         " jnz   1f                                                      \n\t"\
         "mov    "byte"      , %%"REG_c"                                 \n\t"\
+        "cmp    %%"REG_c"   , "end"                                     \n\t"\
+        "jl     1f                                                      \n\t"\
         "add"OPSIZE" $2     , "byte"                                    \n\t"\
         "movzwl (%%"REG_c")     , "tmp"                                 \n\t"\
         "lea    -1("low")   , %%ecx                                     \n\t"\
@@ -90,10 +92,10 @@ static av_always_inline int 
get_cabac_inline_x86(CABACContext *c,
 
     __asm__ volatile(
         BRANCHLESS_GET_CABAC("%0", "(%5)", "%1", "%w1", "%2",
-                             "%3", "%b3", "%4")
+                             "%3", "%b3", "%4", "%6")
         :"=&r"(bit), "+&r"(c->low), "+&r"(c->range), "=&q"(tmp),
          "+m"(c->bytestream)
-        :"r"(state)
+        :"r"(state), "m"(c->bytestream_end)
         : "%"REG_c, "memory"
     );
     return bit & 1;
@@ -122,6 +124,8 @@ static av_always_inline int 
get_cabac_bypass_sign_x86(CABACContext *c, int val)
         "movzwl (%1), %%edx                     \n\t"
         "bswap %%edx                            \n\t"
         "shrl $15, %%edx                        \n\t"
+        "cmp %1, %5                             \n\t"
+        "jl   1f                                \n\t"
         "add  $2, %1                            \n\t"
         "addl %%edx, %%eax                      \n\t"
         "mov  %1, %3                            \n\t"
@@ -129,7 +133,7 @@ static av_always_inline int 
get_cabac_bypass_sign_x86(CABACContext *c, int val)
         "movl %%eax, %2                         \n\t"
 
         :"+c"(val), "=&r"(tmp), "+m"(c->low), "+m"(c->bytestream)
-        :"m"(c->range)
+        :"m"(c->range), "m"(c->bytestream_end)
         : "%eax", "%edx"
     );
     return val;
-- 
1.7.7.4

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to