ref: a2164c22af245f845f42fa268cea73e5a0d1b5ba
parent: 7d6035d5d4bfc8db4fb5d496ddfee85921178e04
author: Licai Guo <[email protected]>
date: Sun Jan 19 17:15:25 EST 2014
fix 960932 by add boundary checks on run_before
--- a/codec/decoder/core/inc/error_code.h
+++ b/codec/decoder/core/inc/error_code.h
@@ -116,8 +116,9 @@
ERR_INFO_INVALID_CBP,
ERR_INFO_DQUANT_OUT_OF_RANGE,
ERR_INFO_CAVLC_INVALID_PREFIX,
-ERR_INFO_CAVLC_INVALID_TOTAL_COEFF,
+ERR_INFO_CAVLC_INVALID_TOTAL_COEFF_OR_TRAILING_ONES,
ERR_INFO_CAVLC_INVALID_ZERO_LEFT,
+ERR_INFO_CAVLC_INVALID_RUN_BEFORE,
ERR_INFO_MV_OUT_OF_RANGE,
ERR_INFO_INVALID_I4x4_PRED_MODE,
--- a/codec/decoder/core/src/parse_mb_syn_cavlc.cpp
+++ b/codec/decoder/core/src/parse_mb_syn_cavlc.cpp
@@ -586,8 +586,6 @@
if (iSuffixLengthSize > 0) {
if (pBitsCache->uiRemainBits <= iSuffixLengthSize) SHIFT_BUFFER (pBitsCache);
- if (pBitsCache->uiRemainBits <= iSuffixLengthSize)
- return 0;
iLevelCode += (pBitsCache->uiCache32Bit >> (32 - iSuffixLengthSize));
POP_BUFFER (pBitsCache, iSuffixLengthSize);
iUsedBits += iSuffixLengthSize;
@@ -628,8 +626,6 @@
iCount = kpBitNumMap[iTotalZeroVlcIdx - 1];
if (pBitsCache->uiRemainBits < iCount) SHIFT_BUFFER (
pBitsCache); // if uiRemainBits+16 still smaller than iCount?? potential bug
- if (pBitsCache->uiRemainBits < iCount)
- return 0;
uiValue = pBitsCache->uiCache32Bit >> (32 - iCount);
iCount = pVlcTable->kpTotalZerosTable[uiTableType][iTotalZeroVlcIdx - 1][uiValue][1];
POP_BUFFER (pBitsCache, iCount);
@@ -647,8 +643,6 @@
if (iZerosLeft > 0) {
uiCount = g_kuiZeroLeftBitNumMap[iZerosLeft];
if (pBitsCache->uiRemainBits < uiCount) SHIFT_BUFFER (pBitsCache);
- if (pBitsCache->uiRemainBits < uiCount)
- return 0;
uiValue = pBitsCache->uiCache32Bit >> (32 - uiCount);
if (iZerosLeft < 7) {
uiCount = pVlcTable->kpZeroTable[iZerosLeft - 1][uiValue][1];
@@ -669,6 +663,8 @@
iPrefixBits = GetPrefixBits (pBitsCache->uiCache32Bit);
#endif
iRun[i] = iPrefixBits + 6;
+ if (iRun[i] > iZerosLeft)
+ return -1;
POP_BUFFER (pBitsCache, iPrefixBits);
iUsedBits += iPrefixBits;
}
@@ -740,7 +736,7 @@
return 0;
}
if (uiTrailingOnes > 3 || uiTotalCoeff > 16) { /////////////////check uiTrailingOnes and uiTotalCoeff
- return -1;
+ return ERR_INFO_CAVLC_INVALID_TOTAL_COEFF_OR_TRAILING_ONES;
}
iUsedBits += CavlcGetLevelVal (iLevel, &sReadBitsCache, uiTotalCoeff, uiTrailingOnes);
@@ -753,8 +749,10 @@
if (iZerosLeft < 0) {
return ERR_INFO_CAVLC_INVALID_ZERO_LEFT;
}
- iUsedBits += CavlcGetRunBefore (iRun, &sReadBitsCache, uiTotalCoeff, pVlcTable, iZerosLeft);
-
+ if ((i = CavlcGetRunBefore (iRun, &sReadBitsCache, uiTotalCoeff, pVlcTable, iZerosLeft)) == -1) {
+ return ERR_INFO_CAVLC_INVALID_RUN_BEFORE;
+ }
+ iUsedBits += i;
pBs->iIndex += iUsedBits;
iCoeffNum = -1;