← Back to branch summary

~noskcaj/ubuntu/saucy/libav/merge0.8.7-1

« back to all changes in this revision

Viewing changes to debian/patches/post-0.7.1/0003-cavs-fix-some-crashes-with-invalid-bitstreams.patch

  • Committer: Bazaar Package Importer
  • Author(s): Reinhard Tartler
  • Date: 2011-08-26 11:12:43 UTC
  • mfrom: (1.1.10 experimental)
  • Revision ID: james.westby@ubuntu.com-20110826111243-8nly9srkqhb5oa0l
Tags: 4:0.7.1-3ubuntu1
* Merge from debian/unstable
  - don't build against libfaad, libdirac, librtmp and libopenjpeg,
    lame, xvid, x264  (all in universe)
* Drop extra conflicts on libswscale-extra-1

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/post-0.7.1/0003-cavs-fix-some-crashes-with-invalid-bitstreams.patch
 
1
From bd968d260aef322fb32e254a3de0d2036c57bd56 Mon Sep 17 00:00:00 2001
 
2
From: Mans Rullgard <mans@mansr.com>
 
3
Date: Wed, 10 Aug 2011 18:52:11 +0100
 
4
Subject: [PATCH 3/4] cavs: fix some crashes with invalid bitstreams
 
5
 
 
6
This removes all valgrind-reported invalid writes with one
 
7
specific test file.
 
8
 
 
9
Fixes http://www.ocert.org/advisories/ocert-2011-002.html
 
10
 
 
11
Signed-off-by: Mans Rullgard <mans@mansr.com>
 
12
(cherry picked from commit 4a71da0f3ab7f5542decd11c81994f849d5b2c78)
 
13
---
 
14
 libavcodec/cavsdec.c |   11 ++++++++---
 
15
 1 files changed, 8 insertions(+), 3 deletions(-)
 
16
 
 
17
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
 
18
index a9e4d37..35c37d0 100644
 
19
--- a/libavcodec/cavsdec.c
 
20
+++ b/libavcodec/cavsdec.c
 
21
@@ -130,12 +130,14 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb,
 
22
                 r++;
 
23
             mask = -(level_code & 1);
 
24
             level = (level^mask) - mask;
 
25
-        } else {
 
26
+        } else if (level_code >= 0) {
 
27
             level = r->rltab[level_code][0];
 
28
             if(!level) //end of block signal
 
29
                 break;
 
30
             run   = r->rltab[level_code][1];
 
31
             r += r->rltab[level_code][2];
 
32
+        } else {
 
33
+            break;
 
34
         }
 
35
         level_buf[i] = level;
 
36
         run_buf[i] = run;
 
37
@@ -189,7 +191,8 @@ static inline int decode_residual_inter(AVSContext *h) {
 
38
 
 
39
 static int decode_mb_i(AVSContext *h, int cbp_code) {
 
40
     GetBitContext *gb = &h->s.gb;
 
41
-    int block, pred_mode_uv;
 
42
+    unsigned pred_mode_uv;
 
43
+    int block;
 
44
     uint8_t top[18];
 
45
     uint8_t *left = NULL;
 
46
     uint8_t *d;
 
47
@@ -445,6 +448,8 @@ static inline int check_for_slice(AVSContext *h) {
 
48
     if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) {
 
49
         skip_bits_long(gb,24+align);
 
50
         h->stc = get_bits(gb,8);
 
51
+        if (h->stc >= h->mb_height)
 
52
+            return 0;
 
53
         decode_slice_header(h,gb);
 
54
         return 1;
 
55
     }
 
56
@@ -659,7 +664,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size,
 
57
     buf_end = buf + buf_size;
 
58
     for(;;) {
 
59
         buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc);
 
60
-        if(stc & 0xFFFFFE00)
 
61
+        if((stc & 0xFFFFFE00) || buf_ptr == buf_end)
 
62
             return FFMAX(0, buf_ptr - buf - s->parse_context.last_index);
 
63
         input_size = (buf_end - buf_ptr)*8;
 
64
         switch(stc) {
 
65
-- 
 
66
1.7.4.1
 
67