vp9/update_prob: prevent out of bounds table read

the max value of the lookup in expanded form is: (((1 << 7) - 1) << 1) - 65 + 1 + 64 = 254 add one entry of padding to inv_map_table[] to prevent out of bounds access with non-conforming / fuzzed bitstreams Signed-off-by: James Zern <jzern@google.com> Reviewed-by: "Ronald S. Bultje" <rsbultje@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit e91f860ea7) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2015-06-29 23:03:14 -07:00 · 2015-06-29 23:03:14 -07:00 · 002bbc3687
parent 1ea58c6c6a
commit 002bbc3687
1 changed files with 3 additions and 2 deletions
--- a/libavcodec/vp9.c
+++ b/libavcodec/vp9.c
@ -410,7 +410,7 @@ static av_always_inline int inv_recenter_nonneg(int v, int m)
 // differential forward probability updates
 static int update_prob(VP56RangeCoder *c, int p)
 {
-    static const int inv_map_table[254] = {
+    static const int inv_map_table[255] = {
          7,  20,  33,  46,  59,  72,  85,  98, 111, 124, 137, 150, 163, 176,
        189, 202, 215, 228, 241, 254,   1,   2,   3,   4,   5,   6,   8,   9,
         10,  11,  12,  13,  14,  15,  16,  17,  18,  19,  21,  22,  23,  24,
@ -429,7 +429,7 @@ static int update_prob(VP56RangeCoder *c, int p)
        207, 208, 209, 210, 211, 212, 213, 214, 216, 217, 218, 219, 220, 221,
        222, 223, 224, 225, 226, 227, 229, 230, 231, 232, 233, 234, 235, 236,
        237, 238, 239, 240, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251,
-        252, 253,
+        252, 253, 253,
    };
    int d;

@ -459,6 +459,7 @@ static int update_prob(VP56RangeCoder *c, int p)
        if (d >= 65)
            d = (d << 1) - 65 + vp8_rac_get(c);
        d += 64;
+        av_assert2(d < FF_ARRAY_ELEMS(inv_map_table));
    }

    return p <= 128 ? 1 + inv_recenter_nonneg(inv_map_table[d], p - 1) :