mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-24 13:56:33 +02:00
vp9/update_prob: prevent out of bounds table read
the max value of the lookup in expanded form is: (((1 << 7) - 1) << 1) - 65 + 1 + 64 = 254 add one entry of padding to inv_map_table[] to prevent out of bounds access with non-conforming / fuzzed bitstreams Signed-off-by: James Zern <jzern@google.com> Reviewed-by: "Ronald S. Bultje" <rsbultje@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit e91f860ea74e11e9178500fe8794c47f57dbf48c) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
parent
51782e8690
commit
662714abbe
@ -425,7 +425,7 @@ static av_always_inline int inv_recenter_nonneg(int v, int m)
|
||||
// differential forward probability updates
|
||||
static int update_prob(VP56RangeCoder *c, int p)
|
||||
{
|
||||
static const int inv_map_table[254] = {
|
||||
static const int inv_map_table[255] = {
|
||||
7, 20, 33, 46, 59, 72, 85, 98, 111, 124, 137, 150, 163, 176,
|
||||
189, 202, 215, 228, 241, 254, 1, 2, 3, 4, 5, 6, 8, 9,
|
||||
10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 21, 22, 23, 24,
|
||||
@ -444,7 +444,7 @@ static int update_prob(VP56RangeCoder *c, int p)
|
||||
207, 208, 209, 210, 211, 212, 213, 214, 216, 217, 218, 219, 220, 221,
|
||||
222, 223, 224, 225, 226, 227, 229, 230, 231, 232, 233, 234, 235, 236,
|
||||
237, 238, 239, 240, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251,
|
||||
252, 253,
|
||||
252, 253, 253,
|
||||
};
|
||||
int d;
|
||||
|
||||
@ -474,6 +474,7 @@ static int update_prob(VP56RangeCoder *c, int p)
|
||||
if (d >= 65)
|
||||
d = (d << 1) - 65 + vp8_rac_get(c);
|
||||
d += 64;
|
||||
av_assert2(d < FF_ARRAY_ELEMS(inv_map_table));
|
||||
}
|
||||
|
||||
return p <= 128 ? 1 + inv_recenter_nonneg(inv_map_table[d], p - 1) :
|
||||
|
Loading…
x
Reference in New Issue
Block a user