[FFmpeg-cvslog] vp9/update_prob: prevent out of bounds table read

James Zern git at videolan.org
Thu Aug 20 14:53:45 CEST 2015


ffmpeg | branch: release/2.4 | James Zern <jzern at google.com> | Mon Jun 29 23:03:14 2015 -0700| [c6e16ec711c2644d236aa06e677e8efacd2cf33c] | committer: Michael Niedermayer

vp9/update_prob: prevent out of bounds table read

the max value of the lookup in expanded form is:
(((1 << 7) - 1) << 1) - 65 + 1 + 64 = 254

add one entry of padding to inv_map_table[] to prevent out of bounds
access with non-conforming / fuzzed bitstreams

Signed-off-by: James Zern <jzern at google.com>
Reviewed-by: "Ronald S. Bultje" <rsbultje at gmail.com>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit e91f860ea74e11e9178500fe8794c47f57dbf48c)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c6e16ec711c2644d236aa06e677e8efacd2cf33c
---

 libavcodec/vp9.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c
index 3be17c0..8327134 100644
--- a/libavcodec/vp9.c
+++ b/libavcodec/vp9.c
@@ -409,7 +409,7 @@ static av_always_inline int inv_recenter_nonneg(int v, int m)
 // differential forward probability updates
 static int update_prob(VP56RangeCoder *c, int p)
 {
-    static const int inv_map_table[254] = {
+    static const int inv_map_table[255] = {
           7,  20,  33,  46,  59,  72,  85,  98, 111, 124, 137, 150, 163, 176,
         189, 202, 215, 228, 241, 254,   1,   2,   3,   4,   5,   6,   8,   9,
          10,  11,  12,  13,  14,  15,  16,  17,  18,  19,  21,  22,  23,  24,
@@ -428,7 +428,7 @@ static int update_prob(VP56RangeCoder *c, int p)
         207, 208, 209, 210, 211, 212, 213, 214, 216, 217, 218, 219, 220, 221,
         222, 223, 224, 225, 226, 227, 229, 230, 231, 232, 233, 234, 235, 236,
         237, 238, 239, 240, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251,
-        252, 253,
+        252, 253, 253,
     };
     int d;
 
@@ -458,6 +458,7 @@ static int update_prob(VP56RangeCoder *c, int p)
         if (d >= 65)
             d = (d << 1) - 65 + vp8_rac_get(c);
         d += 64;
+        av_assert2(d < FF_ARRAY_ELEMS(inv_map_table));
     }
 
     return p <= 128 ? 1 + inv_recenter_nonneg(inv_map_table[d], p - 1) :



More information about the ffmpeg-cvslog mailing list