From patchwork Mon Jul 27 09:08:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 21278 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 7E51E44983A for ; Mon, 27 Jul 2020 12:08:26 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5026F68B7BB; Mon, 27 Jul 2020 12:08:26 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-ej1-f65.google.com (mail-ej1-f65.google.com [209.85.218.65]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0641A68B4F3 for ; Mon, 27 Jul 2020 12:08:20 +0300 (EEST) Received: by mail-ej1-f65.google.com with SMTP id a21so16250240ejj.10 for ; Mon, 27 Jul 2020 02:08:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=qeFaOdcmYaCasKQKGB6Rnuqth2HyCAE6c7HbmHwH9jQ=; b=B4HSMt4Cnw6St574ZEAx5OeuF5718eUi+vM2WfdbeL4WENuCDfDGDzBpfb+geDy8Rk m15pxmH23ZzD8Ok4nPSGZr43YbV85BA/3CoPKXPY85xW+jLLrwChYHMZ8hlKV728CmOX fecVjYrMg4hdossdMJYY+72bg3rJI9g6x30MIGrGyRYV5ZU/2gk4mJF/GqzuYQRe91Xz A8OzzVEH6fPhhUPANDQndWj0SL7LkTpQ4tEfPWNed9OGWFWHjRGxVEsLWnMlaTaBm87r ibESO51b2JYZZeenah6RvjZY1HE70RdZ/WsmUCX59on6DOVWsU//PrIrY3JCmEtDp70s 6g7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=qeFaOdcmYaCasKQKGB6Rnuqth2HyCAE6c7HbmHwH9jQ=; b=tFT/tb1r0wzhvNQ0LCifFmEHN/IFxPe2kyNxgGdFPfgXibA0WtUdOfe9v596M0qqvM P5NkjBfZDaHDAwuvY5GHURPxtyzSCVT4FtjyKss9CQ8pBFJauDSmsR8OyGXMWan4RC8l R2/7uWE36oWNsdT+sIbTfY3Cbxt5UxZN8WHceLzt7VkK5Eo7oADqGwX1RRAqSpFO9qG2 vs0KA1p0bnn+WKDgmZyaEDywGDuIFW/OmsxOd7tL/A6a/BT63R5a6D1+p8CAbUvhWruv D7jkR3H3whU1HLqCdrZlvWxrToo9TWBQ0JmTVzMd04qElNVdNRoCWXUKuLIqGT3JO0IE S3Ww== X-Gm-Message-State: AOAM533Ypu1Vaqki7M8giesF1dVSJ7/Dap6DD4AWT99yo4SeggYM8zpp kkZzhoVZiWs6WbimQlMBErrJt1Su X-Google-Smtp-Source: ABdhPJycsMbS5qHZVrDaTeJAxpYJg4j09O4al7V4efYa0AjsmPgODX2YFmDvHsRNR/9nMcdDnmjAgQ== X-Received: by 2002:a17:906:950c:: with SMTP id u12mr19532171ejx.37.1595840899056; Mon, 27 Jul 2020 02:08:19 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc10296.dynamic.kabel-deutschland.de. [188.193.2.150]) by smtp.gmail.com with ESMTPSA id ck6sm7080961edb.18.2020.07.27.02.08.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Jul 2020 02:08:18 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Mon, 27 Jul 2020 11:08:07 +0200 Message-Id: <20200727090810.23794-2-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200727090810.23794-1-andreas.rheinhardt@gmail.com> References: <20200727090810.23794-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH v3 2/5] avcodec/golomb: Prevent shift by negative number X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" This happened in get_ue_golomb() if the cached bitstream reader was in use, because there was no check to handle the case of the read value not being in the supported range. For consistency with the uncached bitstream reader and for compliance with the documentation, every value not in the 0-8190 range is treated as error although the cached bitstream reader could actually read values in the range 0..65534 without problems. Signed-off-by: Andreas Rheinhardt --- v3: Besides accepting the same range as the uncached version this version also consumes bits in case of error like the uncached version. Unfortunately it is not possible to always consume the same number of bits, because the uncached version will consume 63 bits as soon as all valid bits are zero, whereas the cached version will only consume 63 bits if the next 31 bits are zero. libavcodec/golomb.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 1f988d74aa..aed9b22471 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -66,9 +66,12 @@ static inline int get_ue_golomb(GetBitContext *gb) return ff_ue_golomb_vlc_code[buf]; } else { int log = 2 * av_log2(buf) - 31; + + skip_bits_long(gb, 32 - log); + if (log < 7) + return AVERROR_INVALIDDATA; buf >>= log; buf--; - skip_bits_long(gb, 32 - log); return buf; }