vp9/update_prob: prevent out of bounds table read

the max value of the lookup in expanded form is: (((1 << 7) - 1) << 1) - 65 + 1 + 64 = 254 add one entry of padding to inv_map_table[] to prevent out of bounds access with non-conforming / fuzzed bitstreams Signed-off-by: James Zern <jzern@google.com> Reviewed-by: "Ronald S. Bultje" <rsbultje@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
10 years ago · e91f860ea7
parent 088b410ea2
commit e91f860ea7
1 changed files with 3 additions and 2 deletions
--- a/libavcodec/vp9.c
+++ b/libavcodec/vp9.c
@ -425,7 +425,7 @@ static av_always_inline int inv_recenter_nonneg(int v, int m)
 // differential forward probability updates
 static int update_prob(VP56RangeCoder *c, int p)
 {
-    static const int inv_map_table[254] = {
+    static const int inv_map_table[255] = {
          7,  20,  33,  46,  59,  72,  85,  98, 111, 124, 137, 150, 163, 176,
        189, 202, 215, 228, 241, 254,   1,   2,   3,   4,   5,   6,   8,   9,
         10,  11,  12,  13,  14,  15,  16,  17,  18,  19,  21,  22,  23,  24,
@ -444,7 +444,7 @@ static int update_prob(VP56RangeCoder *c, int p)
        207, 208, 209, 210, 211, 212, 213, 214, 216, 217, 218, 219, 220, 221,
        222, 223, 224, 225, 226, 227, 229, 230, 231, 232, 233, 234, 235, 236,
        237, 238, 239, 240, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251,
-        252, 253,
+        252, 253, 253,
    };
    int d;

@ -474,6 +474,7 @@ static int update_prob(VP56RangeCoder *c, int p)
        if (d >= 65)
            d = (d << 1) - 65 + vp8_rac_get(c);
        d += 64;
+        av_assert2(d < FF_ARRAY_ELEMS(inv_map_table));
    }

    return p <= 128 ? 1 + inv_recenter_nonneg(inv_map_table[d], p - 1) :