ref: ca6c00ba18c71e06ba885ab253e667c2fec62317
parent: 9efbef67b9d24aedcbbd170172da40c533b0f615
parent: e8fc798d02ba4c976f24b796a6f4c0681771380a
author: ruil2 <ruil2@cisco.com>
date: Wed Jan 22 13:59:40 EST 2014
Merge pull request #168 from licaiguo/fix-960932 fix 960932 by add boundary checks on run_before -- review request #51
--- a/codec/decoder/core/inc/error_code.h
+++ b/codec/decoder/core/inc/error_code.h
@@ -116,8 +116,9 @@
ERR_INFO_INVALID_CBP,
ERR_INFO_DQUANT_OUT_OF_RANGE,
ERR_INFO_CAVLC_INVALID_PREFIX,
-ERR_INFO_CAVLC_INVALID_TOTAL_COEFF,
+ERR_INFO_CAVLC_INVALID_TOTAL_COEFF_OR_TRAILING_ONES,
ERR_INFO_CAVLC_INVALID_ZERO_LEFT,
+ERR_INFO_CAVLC_INVALID_RUN_BEFORE,
ERR_INFO_MV_OUT_OF_RANGE,
ERR_INFO_INVALID_I4x4_PRED_MODE,
--- a/codec/decoder/core/src/parse_mb_syn_cavlc.cpp
+++ b/codec/decoder/core/src/parse_mb_syn_cavlc.cpp
@@ -586,8 +586,6 @@
if (iSuffixLengthSize > 0) {
if (pBitsCache->uiRemainBits <= iSuffixLengthSize) SHIFT_BUFFER (pBitsCache);
- if (pBitsCache->uiRemainBits <= iSuffixLengthSize)
- return 0;
iLevelCode += (pBitsCache->uiCache32Bit >> (32 - iSuffixLengthSize));
POP_BUFFER (pBitsCache, iSuffixLengthSize);
iUsedBits += iSuffixLengthSize;
@@ -628,8 +626,6 @@
iCount = kpBitNumMap[iTotalZeroVlcIdx - 1];
if (pBitsCache->uiRemainBits < iCount) SHIFT_BUFFER (
pBitsCache); // if uiRemainBits+16 still smaller than iCount?? potential bug
- if (pBitsCache->uiRemainBits < iCount)
- return 0;
uiValue = pBitsCache->uiCache32Bit >> (32 - iCount);
iCount = pVlcTable->kpTotalZerosTable[uiTableType][iTotalZeroVlcIdx - 1][uiValue][1];
POP_BUFFER (pBitsCache, iCount);
@@ -647,8 +643,6 @@
if (iZerosLeft > 0) {
uiCount = g_kuiZeroLeftBitNumMap[iZerosLeft];
if (pBitsCache->uiRemainBits < uiCount) SHIFT_BUFFER (pBitsCache);
- if (pBitsCache->uiRemainBits < uiCount)
- return 0;
uiValue = pBitsCache->uiCache32Bit >> (32 - uiCount);
if (iZerosLeft < 7) {
uiCount = pVlcTable->kpZeroTable[iZerosLeft - 1][uiValue][1];
@@ -669,6 +663,8 @@
iPrefixBits = GetPrefixBits (pBitsCache->uiCache32Bit);
#endif
iRun[i] = iPrefixBits + 6;
+ if (iRun[i] > iZerosLeft)
+ return -1;
POP_BUFFER (pBitsCache, iPrefixBits);
iUsedBits += iPrefixBits;
}
@@ -739,8 +735,8 @@
pBs->iIndex += iUsedBits;
return 0;
}
- if (uiTrailingOnes > 3 || uiTotalCoeff > 16) { /////////////////check uiTrailingOnes and uiTotalCoeff
- return -1;
+ if ((uiTrailingOnes > 3) || (uiTotalCoeff > 16)) { /////////////////check uiTrailingOnes and uiTotalCoeff
+ return ERR_INFO_CAVLC_INVALID_TOTAL_COEFF_OR_TRAILING_ONES;
}
iUsedBits += CavlcGetLevelVal (iLevel, &sReadBitsCache, uiTotalCoeff, uiTrailingOnes);
@@ -753,8 +749,10 @@
if (iZerosLeft < 0) {
return ERR_INFO_CAVLC_INVALID_ZERO_LEFT;
}
- iUsedBits += CavlcGetRunBefore (iRun, &sReadBitsCache, uiTotalCoeff, pVlcTable, iZerosLeft);
-
+ if ((i = CavlcGetRunBefore (iRun, &sReadBitsCache, uiTotalCoeff, pVlcTable, iZerosLeft)) == -1) {
+ return ERR_INFO_CAVLC_INVALID_RUN_BEFORE;
+ }
+ iUsedBits += i;
pBs->iIndex += iUsedBits;
iCoeffNum = -1;