changeset 3408:73c648ae1c74 libavcodec

check cbp for validity, avoids possible out of array reads / segfaults
author michael
date Tue, 04 Jul 2006 16:42:22 +0000
parents f5f2d05b54ac
children 584ff6431043
files cavs.c
diffstat 1 files changed, 21 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/cavs.c	Tue Jul 04 16:30:14 2006 +0000
+++ b/cavs.c	Tue Jul 04 16:42:22 2006 +0000
@@ -754,11 +754,17 @@
                               h->cv,h->c_stride);
 }
 
-static inline void decode_residual_inter(AVSContext *h) {
+static inline int decode_residual_inter(AVSContext *h) {
     int block;
 
     /* get coded block pattern */
-    h->cbp = cbp_tab[get_ue_golomb(&h->s.gb)][1];
+    int cbp= get_ue_golomb(&h->s.gb);
+    if(cbp > 63){
+        av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n");
+        return -1;
+    }
+    h->cbp = cbp_tab[cbp][1];
+
     /* get quantizer */
     if(h->cbp && !h->qp_fixed)
         h->qp += get_se_golomb(&h->s.gb);
@@ -767,6 +773,8 @@
             decode_residual_block(h,&h->s.gb,inter_2dvlc,0,h->qp,
                                   h->cy + h->luma_scan[block], h->l_stride);
     decode_residual_chroma(h);
+
+    return 0;
 }
 
 /*****************************************************************************
@@ -861,7 +869,7 @@
     return 1;
 }
 
-static void decode_mb_i(AVSContext *h) {
+static int decode_mb_i(AVSContext *h) {
     GetBitContext *gb = &h->s.gb;
     int block, pred_mode_uv;
     uint8_t top[18];
@@ -914,8 +922,14 @@
     }
 
     /* get coded block pattern */
-    if(h->pic_type == FF_I_TYPE)
-        h->cbp = cbp_tab[get_ue_golomb(gb)][0];
+    if(h->pic_type == FF_I_TYPE){
+        int cbp= get_ue_golomb(gb);
+        if(cbp > 63){
+            av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n");
+            return -1;
+        }
+        h->cbp = cbp_tab[cbp][0];
+    }
     if(h->cbp && !h->qp_fixed)
         h->qp += get_se_golomb(gb); //qp_delta
 
@@ -959,6 +973,8 @@
     set_mvs(&h->mv[MV_BWD_X0], BLK_16X16);
     if(h->pic_type != FF_B_TYPE)
         *h->col_type = I_8X8;
+
+    return 0;
 }
 
 static void decode_mb_p(AVSContext *h, enum mb_t mb_type) {