h264_cavlc: check the value of run_before

Section 9.2.3.2 of the spec implies that run_before must not be larger than zeros_left. Fixes invalid reads with corrupted files. CC: libav-stable@libav.org Bug-Id: 1000 Found-By: Kamil Frankowicz
2024-11-26 19:01:44 +02:00 · 2016-12-28 13:02:02 +01:00 · 2016-12-28 13:02:02 +01:00 · 522d850e68
commit 522d850e68
parent 83b2b34d06
1 changed files with 6 additions and 2 deletions
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@ -579,8 +579,10 @@ static int decode_residual(const H264Context *h, H264SliceContext *sl,
        for(i=1;i<total_coeff && zeros_left > 0;i++) { \
            if(zeros_left < 7) \
                run_before= get_vlc2(gb, run_vlc[zeros_left - 1].table, RUN_VLC_BITS, 1); \
-            else \
+            else {\
                run_before= get_vlc2(gb, run7_vlc.table, RUN7_VLC_BITS, 2); \
+                run_before = FFMIN(zeros_left, run_before);\
+            }\
            zeros_left -= run_before; \
            scantable -= 1 + run_before; \
            ((type*)block)[*scantable]= level[i]; \
@ -594,8 +596,10 @@ static int decode_residual(const H264Context *h, H264SliceContext *sl,
        for(i=1;i<total_coeff && zeros_left > 0;i++) { \
            if(zeros_left < 7) \
                run_before= get_vlc2(gb, run_vlc[zeros_left - 1].table, RUN_VLC_BITS, 1); \
-            else \
+            else {\
                run_before= get_vlc2(gb, run7_vlc.table, RUN7_VLC_BITS, 2); \
+                run_before = FFMIN(zeros_left, run_before);\
+            }\
            zeros_left -= run_before; \
            scantable -= 1 + run_before; \
            ((type*)block)[*scantable]= ((int)(level[i] * qmul[*scantable] + 32))>>6; \