Hi,
On Tue, Jan 13, 2015 at 8:43 AM, Luca Barbato <[email protected]> wrote:
>
> On 13/01/15 13:43, Martin Storsjö wrote:
> > From: Michael Niedermayer <[email protected]>
> >
> > This fixes out of array reads and/or infinite loops.
> >
> > CC: [email protected]
> > Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> > ---
> > Not sure exactly which of the fuzzed samples this fixes, I ran
> > into other, unrelated, broken samples that triggered this issue
> > and found this fix for it.
> > ---
> > libavcodec/h264_cabac.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c
> > index 1e91626..0ad8ac0 100644
> > --- a/libavcodec/h264_cabac.c
> > +++ b/libavcodec/h264_cabac.c
> > @@ -1712,7 +1712,7 @@ decode_cabac_residual_internal(H264Context *h,
int16_t *block,
> > \
> > if( coeff_abs >= 15 ) { \
> > int j = 0; \
> > - while( get_cabac_bypass( CC ) ) { \
> > + while (get_cabac_bypass(CC) && j < 30) { \
> > j++; \
> > } \
> > \
> >
>
> Probably ok, not sure why 30 though.
1707 int coeff_abs = 2; \
So coeff_abs is of type signed int.
[..]
1717 while(get_cabac_bypass( CC ) && j<30) { \
1718 j++; \
1719 } \
[..]
1721 coeff_abs=1; \
1722 while( j-- ) { \
1723 coeff_abs += coeff_abs + get_cabac_bypass( CC ); \
1724 } \
1725 coeff_abs+= 14; \
Let's rewrite this small block into a different form (for readability in
this particular case):
coeff_abs = 1 << j;
while (j--) {
coeff_abs |= get_cabac_bypass(CC) << j;
}
coeff_abs += 14;
And you'll see why 30 is the max. 1 << 31 is undefined for signed integers.
There is no particular reason why this would be the largest coefficient
that we want to support (really, our storage type is int16_t for 8bit
content so we can't store these coefficients anyway).
HTH,
Ronald
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
