mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-24 13:56:33 +02:00
cabac: add overread protection to BRANCHLESS_GET_CABAC().
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
This commit is contained in:
Ronald S. Bultje
parent
448dc42571
commit
a940198130
@ -51,7 +51,7 @@
|
|||||||
"xor "tmp" , "ret" \n\t"
|
"xor "tmp" , "ret" \n\t"
|
||||||
#endif /* HAVE_FAST_CMOV */
|
#endif /* HAVE_FAST_CMOV */
|
||||||
|
|
||||||
#define BRANCHLESS_GET_CABAC(ret, statep, low, lowword, range, tmp, tmpbyte, byte) \
|
#define BRANCHLESS_GET_CABAC(ret, statep, low, lowword, range, tmp, tmpbyte, byte, end) \
|
||||||
"movzbl "statep" , "ret" \n\t"\
|
"movzbl "statep" , "ret" \n\t"\
|
||||||
"mov "range" , "tmp" \n\t"\
|
"mov "range" , "tmp" \n\t"\
|
||||||
"and $0xC0 , "range" \n\t"\
|
"and $0xC0 , "range" \n\t"\
|
||||||
@ -64,9 +64,12 @@
|
|||||||
"shl %%cl , "low" \n\t"\
|
"shl %%cl , "low" \n\t"\
|
||||||
"mov "tmpbyte" , "statep" \n\t"\
|
"mov "tmpbyte" , "statep" \n\t"\
|
||||||
"test "lowword" , "lowword" \n\t"\
|
"test "lowword" , "lowword" \n\t"\
|
||||||
" jnz 1f \n\t"\
|
" jnz 2f \n\t"\
|
||||||
"mov "byte" , %%"REG_c" \n\t"\
|
"mov "byte" , %%"REG_c" \n\t"\
|
||||||
|
"cmp "end" , %%"REG_c" \n\t"\
|
||||||
|
"jge 1f \n\t"\
|
||||||
"add"OPSIZE" $2 , "byte" \n\t"\
|
"add"OPSIZE" $2 , "byte" \n\t"\
|
||||||
|
"1: \n\t"\
|
||||||
"movzwl (%%"REG_c") , "tmp" \n\t"\
|
"movzwl (%%"REG_c") , "tmp" \n\t"\
|
||||||
"lea -1("low") , %%ecx \n\t"\
|
"lea -1("low") , %%ecx \n\t"\
|
||||||
"xor "low" , %%ecx \n\t"\
|
"xor "low" , %%ecx \n\t"\
|
||||||
@ -79,7 +82,7 @@
|
|||||||
"add $7 , %%ecx \n\t"\
|
"add $7 , %%ecx \n\t"\
|
||||||
"shl %%cl , "tmp" \n\t"\
|
"shl %%cl , "tmp" \n\t"\
|
||||||
"add "tmp" , "low" \n\t"\
|
"add "tmp" , "low" \n\t"\
|
||||||
"1: \n\t"
|
"2: \n\t"
|
||||||
|
|
||||||
#if HAVE_7REGS && !defined(BROKEN_RELOCATIONS)
|
#if HAVE_7REGS && !defined(BROKEN_RELOCATIONS)
|
||||||
#define get_cabac_inline get_cabac_inline_x86
|
#define get_cabac_inline get_cabac_inline_x86
|
||||||
@ -90,10 +93,12 @@ static av_always_inline int get_cabac_inline_x86(CABACContext *c,
|
|||||||
|
|
||||||
__asm__ volatile(
|
__asm__ volatile(
|
||||||
BRANCHLESS_GET_CABAC("%0", "(%4)", "%1", "%w1",
|
BRANCHLESS_GET_CABAC("%0", "(%4)", "%1", "%w1",
|
||||||
"%2", "%3", "%b3", "%a6(%5)")
|
"%2", "%3", "%b3",
|
||||||
|
"%a6(%5)", "%a7(%5)")
|
||||||
: "=&r"(bit), "+&r"(c->low), "+&r"(c->range), "=&q"(tmp)
|
: "=&r"(bit), "+&r"(c->low), "+&r"(c->range), "=&q"(tmp)
|
||||||
: "r"(state), "r"(c),
|
: "r"(state), "r"(c),
|
||||||
"i"(offsetof(CABACContext, bytestream))
|
"i"(offsetof(CABACContext, bytestream)),
|
||||||
|
"i"(offsetof(CABACContext, bytestream_end))
|
||||||
: "%"REG_c, "memory"
|
: "%"REG_c, "memory"
|
||||||
);
|
);
|
||||||
return bit & 1;
|
return bit & 1;
|
||||||
|
|||||||
@ -49,14 +49,16 @@ static int decode_significance_x86(CABACContext *c, int max_coeff,
|
|||||||
"3: \n\t"
|
"3: \n\t"
|
||||||
|
|
||||||
BRANCHLESS_GET_CABAC("%4", "(%1)", "%3", "%w3",
|
BRANCHLESS_GET_CABAC("%4", "(%1)", "%3", "%w3",
|
||||||
"%5", "%k0", "%b0", "%a11(%6)")
|
"%5", "%k0", "%b0",
|
||||||
|
"%a11(%6)", "%a12(%6)")
|
||||||
|
|
||||||
"test $1, %4 \n\t"
|
"test $1, %4 \n\t"
|
||||||
" jz 4f \n\t"
|
" jz 4f \n\t"
|
||||||
"add %10, %1 \n\t"
|
"add %10, %1 \n\t"
|
||||||
|
|
||||||
BRANCHLESS_GET_CABAC("%4", "(%1)", "%3", "%w3",
|
BRANCHLESS_GET_CABAC("%4", "(%1)", "%3", "%w3",
|
||||||
"%5", "%k0", "%b0", "%a11(%6)")
|
"%5", "%k0", "%b0",
|
||||||
|
"%a11(%6)", "%a12(%6)")
|
||||||
|
|
||||||
"sub %10, %1 \n\t"
|
"sub %10, %1 \n\t"
|
||||||
"mov %2, %0 \n\t"
|
"mov %2, %0 \n\t"
|
||||||
@ -83,7 +85,8 @@ static int decode_significance_x86(CABACContext *c, int max_coeff,
|
|||||||
: "=&q"(coeff_count), "+r"(significant_coeff_ctx_base), "+m"(index),
|
: "=&q"(coeff_count), "+r"(significant_coeff_ctx_base), "+m"(index),
|
||||||
"+&r"(c->low), "=&r"(bit), "+&r"(c->range)
|
"+&r"(c->low), "=&r"(bit), "+&r"(c->range)
|
||||||
: "r"(c), "m"(minusstart), "m"(end), "m"(minusindex), "m"(last_off),
|
: "r"(c), "m"(minusstart), "m"(end), "m"(minusindex), "m"(last_off),
|
||||||
"i"(offsetof(CABACContext, bytestream))
|
"i"(offsetof(CABACContext, bytestream)),
|
||||||
|
"i"(offsetof(CABACContext, bytestream_end))
|
||||||
: "%"REG_c, "memory"
|
: "%"REG_c, "memory"
|
||||||
);
|
);
|
||||||
return coeff_count;
|
return coeff_count;
|
||||||
@ -106,7 +109,8 @@ static int decode_significance_8x8_x86(CABACContext *c,
|
|||||||
"add %9, %6 \n\t"
|
"add %9, %6 \n\t"
|
||||||
|
|
||||||
BRANCHLESS_GET_CABAC("%4", "(%6)", "%3", "%w3",
|
BRANCHLESS_GET_CABAC("%4", "(%6)", "%3", "%w3",
|
||||||
"%5", "%k0", "%b0", "%a12(%7)")
|
"%5", "%k0", "%b0",
|
||||||
|
"%a12(%7)", "%a13(%7)")
|
||||||
|
|
||||||
"mov %1, %k6 \n\t"
|
"mov %1, %k6 \n\t"
|
||||||
"test $1, %4 \n\t"
|
"test $1, %4 \n\t"
|
||||||
@ -116,7 +120,8 @@ static int decode_significance_8x8_x86(CABACContext *c,
|
|||||||
"add %11, %6 \n\t"
|
"add %11, %6 \n\t"
|
||||||
|
|
||||||
BRANCHLESS_GET_CABAC("%4", "(%6)", "%3", "%w3",
|
BRANCHLESS_GET_CABAC("%4", "(%6)", "%3", "%w3",
|
||||||
"%5", "%k0", "%b0", "%a12(%7)")
|
"%5", "%k0", "%b0",
|
||||||
|
"%a12(%7)", "%a13(%7)")
|
||||||
|
|
||||||
"mov %2, %0 \n\t"
|
"mov %2, %0 \n\t"
|
||||||
"mov %1, %k6 \n\t"
|
"mov %1, %k6 \n\t"
|
||||||
@ -141,7 +146,8 @@ static int decode_significance_8x8_x86(CABACContext *c,
|
|||||||
"=&r"(bit), "+&r"(c->range), "=&r"(state)
|
"=&r"(bit), "+&r"(c->range), "=&r"(state)
|
||||||
: "r"(c), "m"(minusindex), "m"(significant_coeff_ctx_base),
|
: "r"(c), "m"(minusindex), "m"(significant_coeff_ctx_base),
|
||||||
"m"(sig_off), "m"(last_coeff_ctx_base),
|
"m"(sig_off), "m"(last_coeff_ctx_base),
|
||||||
"i"(offsetof(CABACContext, bytestream))
|
"i"(offsetof(CABACContext, bytestream)),
|
||||||
|
"i"(offsetof(CABACContext, bytestream_end))
|
||||||
: "%"REG_c, "memory"
|
: "%"REG_c, "memory"
|
||||||
);
|
);
|
||||||
return coeff_count;
|
return coeff_count;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user