virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-24 13:56:33 +02:00
Code Issues Releases Activity

avcodec/hevc_cabac: Fix multiple integer overflows

Browse Source 
Fixes: 04ec80eefa77aecd7a49a442cc02baea/asan_heap-oob_19544fa_3303_1905796cd9d8e15f86d664332caabc00.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d5028f61e44b7607b6a547f218f7d85217490a5b)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2015-11-27 22:45:46 +01:00
parent c1db1a5ff4
commit 694416e327
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libavcodec/hevc_cabac.c
View File

@ -883,11 +883,13 @@ static av_always_inline int mvd_decode(HEVCContext *s)
int k = 1; int k = 1;
while (k < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) { while (k < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) {
ret += 1 << k; ret += 1U << k;
k++; k++;
} }
if (k == CABAC_MAX_BIN) if (k == CABAC_MAX_BIN) {
av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k);
return 0;
}
while (k--) while (k--)
ret += get_cabac_bypass(&s->HEVClc->cc) << k; ret += get_cabac_bypass(&s->HEVClc->cc) << k;
return get_cabac_bypass_sign(&s->HEVClc->cc, -ret); return get_cabac_bypass_sign(&s->HEVClc->cc, -ret);
@ -1025,8 +1027,10 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int
while (prefix < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) while (prefix < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc))
prefix++; prefix++;
if (prefix == CABAC_MAX_BIN) if (prefix == CABAC_MAX_BIN) {
av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
return 0;
}
if (prefix < 3) { if (prefix < 3) {
for (i = 0; i < rc_rice_param; i++) for (i = 0; i < rc_rice_param; i++)
suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc); suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc);