1
From bd968d260aef322fb32e254a3de0d2036c57bd56 Mon Sep 17 00:00:00 2001
2
From: Mans Rullgard <mans@mansr.com>
3
Date: Wed, 10 Aug 2011 18:52:11 +0100
4
Subject: [PATCH 3/4] cavs: fix some crashes with invalid bitstreams
6
This removes all valgrind-reported invalid writes with one
9
Fixes http://www.ocert.org/advisories/ocert-2011-002.html
11
Signed-off-by: Mans Rullgard <mans@mansr.com>
12
(cherry picked from commit 4a71da0f3ab7f5542decd11c81994f849d5b2c78)
14
libavcodec/cavsdec.c | 11 ++++++++---
15
1 files changed, 8 insertions(+), 3 deletions(-)
17
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
18
index a9e4d37..35c37d0 100644
19
--- a/libavcodec/cavsdec.c
20
+++ b/libavcodec/cavsdec.c
21
@@ -130,12 +130,14 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb,
23
mask = -(level_code & 1);
24
level = (level^mask) - mask;
26
+ } else if (level_code >= 0) {
27
level = r->rltab[level_code][0];
28
if(!level) //end of block signal
30
run = r->rltab[level_code][1];
31
r += r->rltab[level_code][2];
37
@@ -189,7 +191,8 @@ static inline int decode_residual_inter(AVSContext *h) {
39
static int decode_mb_i(AVSContext *h, int cbp_code) {
40
GetBitContext *gb = &h->s.gb;
41
- int block, pred_mode_uv;
42
+ unsigned pred_mode_uv;
47
@@ -445,6 +448,8 @@ static inline int check_for_slice(AVSContext *h) {
48
if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) {
49
skip_bits_long(gb,24+align);
50
h->stc = get_bits(gb,8);
51
+ if (h->stc >= h->mb_height)
53
decode_slice_header(h,gb);
56
@@ -659,7 +664,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size,
57
buf_end = buf + buf_size;
59
buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc);
60
- if(stc & 0xFFFFFE00)
61
+ if((stc & 0xFFFFFE00) || buf_ptr == buf_end)
62
return FFMAX(0, buf_ptr - buf - s->parse_context.last_index);
63
input_size = (buf_end - buf_ptr)*8;