diff options
author | Ronald S. Bultje <rsbultje@gmail.com> | 2012-03-17 09:09:41 -0700 |
---|---|---|
committer | Ronald S. Bultje <rsbultje@gmail.com> | 2012-03-28 08:01:29 -0700 |
commit | a940198130de3ab0c50d832bf7a27a70cfed11cc (patch) | |
tree | ec959578744fd2f2bfdb006dae39669f497a1547 /libavcodec/x86/cabac.h | |
parent | 448dc42571edc5bc91da7b0b017daa61118ba2f5 (diff) | |
download | ffmpeg-a940198130de3ab0c50d832bf7a27a70cfed11cc.tar.gz |
cabac: add overread protection to BRANCHLESS_GET_CABAC().
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Diffstat (limited to 'libavcodec/x86/cabac.h')
-rw-r--r-- | libavcodec/x86/cabac.h | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/libavcodec/x86/cabac.h b/libavcodec/x86/cabac.h index ca8a1d5b5f..a6ec22831d 100644 --- a/libavcodec/x86/cabac.h +++ b/libavcodec/x86/cabac.h @@ -51,7 +51,7 @@ "xor "tmp" , "ret" \n\t" #endif /* HAVE_FAST_CMOV */ -#define BRANCHLESS_GET_CABAC(ret, statep, low, lowword, range, tmp, tmpbyte, byte) \ +#define BRANCHLESS_GET_CABAC(ret, statep, low, lowword, range, tmp, tmpbyte, byte, end) \ "movzbl "statep" , "ret" \n\t"\ "mov "range" , "tmp" \n\t"\ "and $0xC0 , "range" \n\t"\ @@ -64,9 +64,12 @@ "shl %%cl , "low" \n\t"\ "mov "tmpbyte" , "statep" \n\t"\ "test "lowword" , "lowword" \n\t"\ - " jnz 1f \n\t"\ + " jnz 2f \n\t"\ "mov "byte" , %%"REG_c" \n\t"\ + "cmp "end" , %%"REG_c" \n\t"\ + "jge 1f \n\t"\ "add"OPSIZE" $2 , "byte" \n\t"\ + "1: \n\t"\ "movzwl (%%"REG_c") , "tmp" \n\t"\ "lea -1("low") , %%ecx \n\t"\ "xor "low" , %%ecx \n\t"\ @@ -79,7 +82,7 @@ "add $7 , %%ecx \n\t"\ "shl %%cl , "tmp" \n\t"\ "add "tmp" , "low" \n\t"\ - "1: \n\t" + "2: \n\t" #if HAVE_7REGS && !defined(BROKEN_RELOCATIONS) #define get_cabac_inline get_cabac_inline_x86 @@ -90,10 +93,12 @@ static av_always_inline int get_cabac_inline_x86(CABACContext *c, __asm__ volatile( BRANCHLESS_GET_CABAC("%0", "(%4)", "%1", "%w1", - "%2", "%3", "%b3", "%a6(%5)") + "%2", "%3", "%b3", + "%a6(%5)", "%a7(%5)") : "=&r"(bit), "+&r"(c->low), "+&r"(c->range), "=&q"(tmp) : "r"(state), "r"(c), - "i"(offsetof(CABACContext, bytestream)) + "i"(offsetof(CABACContext, bytestream)), + "i"(offsetof(CABACContext, bytestream_end)) : "%"REG_c, "memory" ); return bit & 1; |