h264_cavlc: check the value of run_before
authorAnton Khirnov <anton@khirnov.net>
Wed, 28 Dec 2016 12:02:02 +0000 (13:02 +0100)
committerDiego Biurrun <diego@biurrun.de>
Fri, 13 Oct 2017 23:19:41 +0000 (01:19 +0200)
Section 9.2.3.2 of the spec implies that run_before must not be larger
than zeros_left.

Fixes invalid reads with corrupted files.

CC: libav-stable@libav.org
Bug-Id: 1000
Found-By: Kamil Frankowicz
(cherry picked from commit 522d850e68ec4b77d3477b3c8f55b1ba00a9d69a)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
libavcodec/h264_cavlc.c

index 5e3c79d..b797453 100644 (file)
@@ -583,8 +583,10 @@ static int decode_residual(H264Context *h, GetBitContext *gb, DCTELEM *block, in
         for(i=1;i<total_coeff && zeros_left > 0;i++) { \
             if(zeros_left < 7) \
                 run_before= get_vlc2(gb, (run_vlc-1)[zeros_left].table, RUN_VLC_BITS, 1); \
-            else \
+            else {\
                 run_before= get_vlc2(gb, run7_vlc.table, RUN7_VLC_BITS, 2); \
+                run_before = FFMIN(zeros_left, run_before);\
+            }\
             zeros_left -= run_before; \
             scantable -= 1 + run_before; \
             ((type*)block)[*scantable]= level[i]; \
@@ -598,8 +600,10 @@ static int decode_residual(H264Context *h, GetBitContext *gb, DCTELEM *block, in
         for(i=1;i<total_coeff && zeros_left > 0;i++) { \
             if(zeros_left < 7) \
                 run_before= get_vlc2(gb, (run_vlc-1)[zeros_left].table, RUN_VLC_BITS, 1); \
-            else \
+            else {\
                 run_before= get_vlc2(gb, run7_vlc.table, RUN7_VLC_BITS, 2); \
+                run_before = FFMIN(zeros_left, run_before);\
+            }\
             zeros_left -= run_before; \
             scantable -= 1 + run_before; \
             ((type*)block)[*scantable]= ((int)(level[i] * qmul[*scantable] + 32))>>6; \