[FFmpeg-devel] [PATCH] Check for invalid VLC code in zeros_left before writing coefficients.

Michael Niedermayer michaelni at gmx.at
Sun Dec 9 13:05:50 CET 2012


Hi

On Fri, Dec 07, 2012 at 01:09:20PM -0800, Ronald S. Bultje wrote:
> From: "Ronald S. Bultje" <rsbultje at gmail.com>
> 
> This prevents an invalid write into coeffs[scantable[-1]] if zeros_left
> itself was an invalid VLC code (and thus -1).

scantable[-1] has to be a value between 0 and 255 as its uint8_t
coeffs is supposed to be at least 256 entries large for exactly that
reason

this is documented in h264.h:
    DCTELEM mb_padding[256 * 2];        ///< as mb is addressed by scantable[i] and scantable is uint8_t we can either check that i is not too large or ensure that there is some unused stuff after mb

So it does not seem possible, but maybe iam missing something
How did you find/reproduce this bug ?

    
> ---
>  libavcodec/h264_cavlc.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
> index 8702122..fa2bd99 100644
> --- a/libavcodec/h264_cavlc.c
> +++ b/libavcodec/h264_cavlc.c
> @@ -610,17 +610,17 @@ static int decode_residual(H264Context *h, GetBitContext *gb, DCTELEM *block, in
>          } \
>      }
>  
> +    if(zeros_left<0){
> +        av_log(h->s.avctx, AV_LOG_ERROR, "negative number of zero coeffs at %d %d\n", s->mb_x, s->mb_y);
> +        return -1;
> +    }
> +
>      if (h->pixel_shift) {
>          STORE_BLOCK(int32_t)
>      } else {
>          STORE_BLOCK(int16_t)
>      }
>  


> -    if(zeros_left<0){
> -        av_log(h->s.avctx, AV_LOG_ERROR, "negative number of zero coeffs at %d %d\n", s->mb_x, s->mb_y);
> -        return -1;
> -    }
> -

this breaks error detection and worsens error concealment

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If you think the mosad wants you dead since a long time then you are either
wrong or dead since a long time.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20121209/57e7769e/attachment.asc>


More information about the ffmpeg-devel mailing list