[FFmpeg-cvslog] vp9/update_prob: prevent out of bounds table read
James Zern
git at videolan.org
Tue Jun 30 13:43:45 CEST 2015
ffmpeg | branch: master | James Zern <jzern at google.com> | Mon Jun 29 23:03:14 2015 -0700| [e91f860ea74e11e9178500fe8794c47f57dbf48c] | committer: Michael Niedermayer
vp9/update_prob: prevent out of bounds table read
the max value of the lookup in expanded form is:
(((1 << 7) - 1) << 1) - 65 + 1 + 64 = 254
add one entry of padding to inv_map_table[] to prevent out of bounds
access with non-conforming / fuzzed bitstreams
Signed-off-by: James Zern <jzern at google.com>
Reviewed-by: "Ronald S. Bultje" <rsbultje at gmail.com>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e91f860ea74e11e9178500fe8794c47f57dbf48c
---
libavcodec/vp9.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c
index 3ad9056..6888326 100644
--- a/libavcodec/vp9.c
+++ b/libavcodec/vp9.c
@@ -425,7 +425,7 @@ static av_always_inline int inv_recenter_nonneg(int v, int m)
// differential forward probability updates
static int update_prob(VP56RangeCoder *c, int p)
{
- static const int inv_map_table[254] = {
+ static const int inv_map_table[255] = {
7, 20, 33, 46, 59, 72, 85, 98, 111, 124, 137, 150, 163, 176,
189, 202, 215, 228, 241, 254, 1, 2, 3, 4, 5, 6, 8, 9,
10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 21, 22, 23, 24,
@@ -444,7 +444,7 @@ static int update_prob(VP56RangeCoder *c, int p)
207, 208, 209, 210, 211, 212, 213, 214, 216, 217, 218, 219, 220, 221,
222, 223, 224, 225, 226, 227, 229, 230, 231, 232, 233, 234, 235, 236,
237, 238, 239, 240, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251,
- 252, 253,
+ 252, 253, 253,
};
int d;
@@ -474,6 +474,7 @@ static int update_prob(VP56RangeCoder *c, int p)
if (d >= 65)
d = (d << 1) - 65 + vp8_rac_get(c);
d += 64;
+ av_assert2(d < FF_ARRAY_ELEMS(inv_map_table));
}
return p <= 128 ? 1 + inv_recenter_nonneg(inv_map_table[d], p - 1) :
More information about the ffmpeg-cvslog
mailing list