[FFmpeg-cvslog] cavsdec: check for value in get_ue_code()
Michael Niedermayer
git at videolan.org
Thu Jan 24 22:23:53 CET 2013
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Thu Jan 24 21:55:12 2013 +0100| [cf48b006400e34e1177d0ca22d1cdb5c900a199a] | committer: Michael Niedermayer
cavsdec: check for value in get_ue_code()
Fixes integer overflow and prints an error in case the value is
invalid.
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cf48b006400e34e1177d0ca22d1cdb5c900a199a
---
libavcodec/cavsdec.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 9450ed1..fa60d6c 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -510,11 +510,15 @@ static inline void mv_pred_sym(AVSContext *h, cavs_vector *src,
/** kth-order exponential golomb code */
static inline int get_ue_code(GetBitContext *gb, int order)
{
+ unsigned ret = get_ue_golomb(gb);
+ if (ret >= ((1U<<31)>>order)) {
+ av_log(NULL, AV_LOG_ERROR, "get_ue_code: value too larger\n");
+ return AVERROR_INVALIDDATA;
+ }
if (order) {
- int ret = get_ue_golomb(gb) << order;
- return ret + get_bits(gb, order);
+ return (ret<<order) + get_bits(gb, order);
}
- return get_ue_golomb(gb);
+ return ret;
}
static inline int dequant(AVSContext *h, int16_t *level_buf, uint8_t *run_buf,
More information about the ffmpeg-cvslog
mailing list