cabac: add overread protection to BRANCHLESS_GET_CABAC().

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

diff --git a/libavcodec/x86/cabac.h b/libavcodec/x86/cabac.h
index ca8a1d5..a6ec228 100644 (file)
--- a/libavcodec/x86/cabac.h
+++ b/libavcodec/x86/cabac.h
@@ -51,7 +51,7 @@
         "xor    "tmp"       , "ret"     \n\t"
 #endif /* HAVE_FAST_CMOV */
 
-#define BRANCHLESS_GET_CABAC(ret, statep, low, lowword, range, tmp, tmpbyte, byte) \
+#define BRANCHLESS_GET_CABAC(ret, statep, low, lowword, range, tmp, tmpbyte, byte, end) \
         "movzbl "statep"    , "ret"                                     \n\t"\
         "mov    "range"     , "tmp"                                     \n\t"\
         "and    $0xC0       , "range"                                   \n\t"\
@@ -64,9 +64,12 @@
         "shl    %%cl        , "low"                                     \n\t"\
         "mov    "tmpbyte"   , "statep"                                  \n\t"\
         "test   "lowword"   , "lowword"                                 \n\t"\
-        " jnz   1f                                                      \n\t"\
+        " jnz   2f                                                      \n\t"\
         "mov    "byte"      , %%"REG_c"                                 \n\t"\
+        "cmp    "end"       , %%"REG_c"                                 \n\t"\
+        "jge    1f                                                      \n\t"\
         "add"OPSIZE" $2     , "byte"                                    \n\t"\
+        "1:                                                             \n\t"\
         "movzwl (%%"REG_c")     , "tmp"                                 \n\t"\
         "lea    -1("low")   , %%ecx                                     \n\t"\
         "xor    "low"       , %%ecx                                     \n\t"\
@@ -79,7 +82,7 @@
         "add    $7          , %%ecx                                     \n\t"\
         "shl    %%cl        , "tmp"                                     \n\t"\
         "add    "tmp"       , "low"                                     \n\t"\
-        "1:                                                             \n\t"
+        "2:                                                             \n\t"
 
 #if HAVE_7REGS && !defined(BROKEN_RELOCATIONS)
 #define get_cabac_inline get_cabac_inline_x86
@@ -90,10 +93,12 @@ static av_always_inline int get_cabac_inline_x86(CABACContext *c,
 
     __asm__ volatile(
         BRANCHLESS_GET_CABAC("%0", "(%4)", "%1", "%w1",
-                             "%2", "%3", "%b3", "%a6(%5)")
+                             "%2", "%3", "%b3",
+                             "%a6(%5)", "%a7(%5)")
         : "=&r"(bit), "+&r"(c->low), "+&r"(c->range), "=&q"(tmp)
         : "r"(state), "r"(c),
-          "i"(offsetof(CABACContext, bytestream))
+          "i"(offsetof(CABACContext, bytestream)),
+          "i"(offsetof(CABACContext, bytestream_end))
         : "%"REG_c, "memory"
     );
     return bit & 1;

diff --git a/libavcodec/x86/h264_i386.h b/libavcodec/x86/h264_i386.h
index 31ddaf6..e849a3d 100644 (file)
--- a/libavcodec/x86/h264_i386.h
+++ b/libavcodec/x86/h264_i386.h
@@ -49,14 +49,16 @@ static int decode_significance_x86(CABACContext *c, int max_coeff,
         "3:                                     \n\t"
 
         BRANCHLESS_GET_CABAC("%4", "(%1)", "%3", "%w3",
-                             "%5", "%k0", "%b0", "%a11(%6)")
+                             "%5", "%k0", "%b0",
+                             "%a11(%6)", "%a12(%6)")
 
         "test $1, %4                            \n\t"
         " jz 4f                                 \n\t"
         "add  %10, %1                           \n\t"
 
         BRANCHLESS_GET_CABAC("%4", "(%1)", "%3", "%w3",
-                             "%5", "%k0", "%b0", "%a11(%6)")
+                             "%5", "%k0", "%b0",
+                             "%a11(%6)", "%a12(%6)")
 
         "sub  %10, %1                           \n\t"
         "mov  %2, %0                            \n\t"
@@ -83,7 +85,8 @@ static int decode_significance_x86(CABACContext *c, int max_coeff,
         : "=&q"(coeff_count), "+r"(significant_coeff_ctx_base), "+m"(index),
           "+&r"(c->low), "=&r"(bit), "+&r"(c->range)
         : "r"(c), "m"(minusstart), "m"(end), "m"(minusindex), "m"(last_off),
-          "i"(offsetof(CABACContext, bytestream))
+          "i"(offsetof(CABACContext, bytestream)),
+          "i"(offsetof(CABACContext, bytestream_end))
         : "%"REG_c, "memory"
     );
     return coeff_count;
@@ -106,7 +109,8 @@ static int decode_significance_8x8_x86(CABACContext *c,
         "add %9, %6                             \n\t"
 
         BRANCHLESS_GET_CABAC("%4", "(%6)", "%3", "%w3",
-                             "%5", "%k0", "%b0", "%a12(%7)")
+                             "%5", "%k0", "%b0",
+                             "%a12(%7)", "%a13(%7)")
 
         "mov %1, %k6                            \n\t"
         "test $1, %4                            \n\t"
@@ -116,7 +120,8 @@ static int decode_significance_8x8_x86(CABACContext *c,
         "add %11, %6                            \n\t"
 
         BRANCHLESS_GET_CABAC("%4", "(%6)", "%3", "%w3",
-                             "%5", "%k0", "%b0", "%a12(%7)")
+                             "%5", "%k0", "%b0",
+                             "%a12(%7)", "%a13(%7)")
 
         "mov %2, %0                             \n\t"
         "mov %1, %k6                            \n\t"
@@ -141,7 +146,8 @@ static int decode_significance_8x8_x86(CABACContext *c,
           "=&r"(bit), "+&r"(c->range), "=&r"(state)
         : "r"(c), "m"(minusindex), "m"(significant_coeff_ctx_base),
           "m"(sig_off), "m"(last_coeff_ctx_base),
-          "i"(offsetof(CABACContext, bytestream))
+          "i"(offsetof(CABACContext, bytestream)),
+          "i"(offsetof(CABACContext, bytestream_end))
         : "%"REG_c, "memory"
     );
     return coeff_count;