[FFmpeg-devel] [PATCH] Check for invalid VLC code in zeros_left before writing coefficients.
Michael Niedermayer
michaelni at gmx.at
Sun Dec 9 13:05:50 CET 2012
Hi
On Fri, Dec 07, 2012 at 01:09:20PM -0800, Ronald S. Bultje wrote:
> From: "Ronald S. Bultje" <rsbultje at gmail.com>
>
> This prevents an invalid write into coeffs[scantable[-1]] if zeros_left
> itself was an invalid VLC code (and thus -1).
scantable[-1] has to be a value between 0 and 255 as its uint8_t
coeffs is supposed to be at least 256 entries large for exactly that
reason
this is documented in h264.h:
DCTELEM mb_padding[256 * 2]; ///< as mb is addressed by scantable[i] and scantable is uint8_t we can either check that i is not too large or ensure that there is some unused stuff after mb
So it does not seem possible, but maybe iam missing something
How did you find/reproduce this bug ?
> ---
> libavcodec/h264_cavlc.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
> index 8702122..fa2bd99 100644
> --- a/libavcodec/h264_cavlc.c
> +++ b/libavcodec/h264_cavlc.c
> @@ -610,17 +610,17 @@ static int decode_residual(H264Context *h, GetBitContext *gb, DCTELEM *block, in
> } \
> }
>
> + if(zeros_left<0){
> + av_log(h->s.avctx, AV_LOG_ERROR, "negative number of zero coeffs at %d %d\n", s->mb_x, s->mb_y);
> + return -1;
> + }
> +
> if (h->pixel_shift) {
> STORE_BLOCK(int32_t)
> } else {
> STORE_BLOCK(int16_t)
> }
>
> - if(zeros_left<0){
> - av_log(h->s.avctx, AV_LOG_ERROR, "negative number of zero coeffs at %d %d\n", s->mb_x, s->mb_y);
> - return -1;
> - }
> -
this breaks error detection and worsens error concealment
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
If you think the mosad wants you dead since a long time then you are either
wrong or dead since a long time.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20121209/57e7769e/attachment.asc>
More information about the ffmpeg-devel
mailing list