[FFmpeg-devel] [PATCH] Check for invalid VLC code in zeros_left before writing coefficients.

Reimar Döffinger Reimar.Doeffinger at gmx.de
Sun Dec 9 13:26:08 CET 2012


On Sun, Dec 09, 2012 at 01:05:50PM +0100, Michael Niedermayer wrote:
> Hi
> 
> On Fri, Dec 07, 2012 at 01:09:20PM -0800, Ronald S. Bultje wrote:
> > From: "Ronald S. Bultje" <rsbultje at gmail.com>
> > 
> > This prevents an invalid write into coeffs[scantable[-1]] if zeros_left
> > itself was an invalid VLC code (and thus -1).
> 
> scantable[-1] has to be a value between 0 and 255 as its uint8_t
> coeffs is supposed to be at least 256 entries large for exactly that
> reason
> 
> this is documented in h264.h:
>     DCTELEM mb_padding[256 * 2];        ///< as mb is addressed by scantable[i] and scantable is uint8_t we can either check that i is not too large or ensure that there is some unused stuff after mb
> 
> So it does not seem possible, but maybe iam missing something
> How did you find/reproduce this bug ?

I suspect automated checkers.
In which case a possible option would be to pad the mb/mb_luma_dc
arrays themselves, though admittedly this would waste some memory...
There are sure other ways as well, not sure if any are worth it though.


More information about the ffmpeg-devel mailing list