cavs: fix some crashes with invalid bitstreams

This removes all valgrind-reported invalid writes with one specific test file. Fixes http://www.ocert.org/advisories/ocert-2011-002.html Signed-off-by: Mans Rullgard <mans@mansr.com>
2025-10-30 23:18:11 +02:00 · 2011-08-10 18:52:11 +01:00
parent 069083a419
commit 4a71da0f3a
1 changed files with 8 additions and 3 deletions
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -130,12 +130,14 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb,
                r++;
            mask = -(level_code & 1);
            level = (level^mask) - mask;
-        } else {
+        } else if (level_code >= 0) {
            level = r->rltab[level_code][0];
            if(!level) //end of block signal
                break;
            run   = r->rltab[level_code][1];
            r += r->rltab[level_code][2];
+        } else {
+            break;
        }
        level_buf[i] = level;
        run_buf[i] = run;
@@ -189,7 +191,8 @@ static inline int decode_residual_inter(AVSContext *h) {

 static int decode_mb_i(AVSContext *h, int cbp_code) {
    GetBitContext *gb = &h->s.gb;
-    int block, pred_mode_uv;
+    unsigned pred_mode_uv;
+    int block;
    uint8_t top[18];
    uint8_t *left = NULL;
    uint8_t *d;
@@ -445,6 +448,8 @@ static inline int check_for_slice(AVSContext *h) {
    if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) {
        skip_bits_long(gb,24+align);
        h->stc = get_bits(gb,8);
+        if (h->stc >= h->mb_height)
+            return 0;
        decode_slice_header(h,gb);
        return 1;
    }
@@ -659,7 +664,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size,
    buf_end = buf + buf_size;
    for(;;) {
        buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc);
-        if(stc & 0xFFFFFE00)
+        if((stc & 0xFFFFFE00) || buf_ptr == buf_end)
            return FFMAX(0, buf_ptr - buf - s->parse_context.last_index);
        input_size = (buf_end - buf_ptr)*8;
        switch(stc) {