From a940198130de3ab0c50d832bf7a27a70cfed11cc Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sat, 17 Mar 2012 09:09:41 -0700 Subject: [PATCH] cabac: add overread protection to BRANCHLESS_GET_CABAC(). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind --- libavcodec/x86/cabac.h | 15 ++++++++++----- libavcodec/x86/h264_i386.h | 18 ++++++++++++------ 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/libavcodec/x86/cabac.h b/libavcodec/x86/cabac.h index ca8a1d5..a6ec228 100644 --- a/libavcodec/x86/cabac.h +++ b/libavcodec/x86/cabac.h @@ -51,7 +51,7 @@ "xor "tmp" , "ret" \n\t" #endif /* HAVE_FAST_CMOV */ -#define BRANCHLESS_GET_CABAC(ret, statep, low, lowword, range, tmp, tmpbyte, byte) \ +#define BRANCHLESS_GET_CABAC(ret, statep, low, lowword, range, tmp, tmpbyte, byte, end) \ "movzbl "statep" , "ret" \n\t"\ "mov "range" , "tmp" \n\t"\ "and $0xC0 , "range" \n\t"\ @@ -64,9 +64,12 @@ "shl %%cl , "low" \n\t"\ "mov "tmpbyte" , "statep" \n\t"\ "test "lowword" , "lowword" \n\t"\ - " jnz 1f \n\t"\ + " jnz 2f \n\t"\ "mov "byte" , %%"REG_c" \n\t"\ + "cmp "end" , %%"REG_c" \n\t"\ + "jge 1f \n\t"\ "add"OPSIZE" $2 , "byte" \n\t"\ + "1: \n\t"\ "movzwl (%%"REG_c") , "tmp" \n\t"\ "lea -1("low") , %%ecx \n\t"\ "xor "low" , %%ecx \n\t"\ @@ -79,7 +82,7 @@ "add $7 , %%ecx \n\t"\ "shl %%cl , "tmp" \n\t"\ "add "tmp" , "low" \n\t"\ - "1: \n\t" + "2: \n\t" #if HAVE_7REGS && !defined(BROKEN_RELOCATIONS) #define get_cabac_inline get_cabac_inline_x86 @@ -90,10 +93,12 @@ static av_always_inline int get_cabac_inline_x86(CABACContext *c, __asm__ volatile( BRANCHLESS_GET_CABAC("%0", "(%4)", "%1", "%w1", - "%2", "%3", "%b3", "%a6(%5)") + "%2", "%3", "%b3", + "%a6(%5)", "%a7(%5)") : "=&r"(bit), "+&r"(c->low), "+&r"(c->range), "=&q"(tmp) : "r"(state), "r"(c), - "i"(offsetof(CABACContext, bytestream)) + "i"(offsetof(CABACContext, bytestream)), + "i"(offsetof(CABACContext, bytestream_end)) : "%"REG_c, "memory" ); return bit & 1; diff --git a/libavcodec/x86/h264_i386.h b/libavcodec/x86/h264_i386.h index 31ddaf6..e849a3d 100644 --- a/libavcodec/x86/h264_i386.h +++ b/libavcodec/x86/h264_i386.h @@ -49,14 +49,16 @@ static int decode_significance_x86(CABACContext *c, int max_coeff, "3: \n\t" BRANCHLESS_GET_CABAC("%4", "(%1)", "%3", "%w3", - "%5", "%k0", "%b0", "%a11(%6)") + "%5", "%k0", "%b0", + "%a11(%6)", "%a12(%6)") "test $1, %4 \n\t" " jz 4f \n\t" "add %10, %1 \n\t" BRANCHLESS_GET_CABAC("%4", "(%1)", "%3", "%w3", - "%5", "%k0", "%b0", "%a11(%6)") + "%5", "%k0", "%b0", + "%a11(%6)", "%a12(%6)") "sub %10, %1 \n\t" "mov %2, %0 \n\t" @@ -83,7 +85,8 @@ static int decode_significance_x86(CABACContext *c, int max_coeff, : "=&q"(coeff_count), "+r"(significant_coeff_ctx_base), "+m"(index), "+&r"(c->low), "=&r"(bit), "+&r"(c->range) : "r"(c), "m"(minusstart), "m"(end), "m"(minusindex), "m"(last_off), - "i"(offsetof(CABACContext, bytestream)) + "i"(offsetof(CABACContext, bytestream)), + "i"(offsetof(CABACContext, bytestream_end)) : "%"REG_c, "memory" ); return coeff_count; @@ -106,7 +109,8 @@ static int decode_significance_8x8_x86(CABACContext *c, "add %9, %6 \n\t" BRANCHLESS_GET_CABAC("%4", "(%6)", "%3", "%w3", - "%5", "%k0", "%b0", "%a12(%7)") + "%5", "%k0", "%b0", + "%a12(%7)", "%a13(%7)") "mov %1, %k6 \n\t" "test $1, %4 \n\t" @@ -116,7 +120,8 @@ static int decode_significance_8x8_x86(CABACContext *c, "add %11, %6 \n\t" BRANCHLESS_GET_CABAC("%4", "(%6)", "%3", "%w3", - "%5", "%k0", "%b0", "%a12(%7)") + "%5", "%k0", "%b0", + "%a12(%7)", "%a13(%7)") "mov %2, %0 \n\t" "mov %1, %k6 \n\t" @@ -141,7 +146,8 @@ static int decode_significance_8x8_x86(CABACContext *c, "=&r"(bit), "+&r"(c->range), "=&r"(state) : "r"(c), "m"(minusindex), "m"(significant_coeff_ctx_base), "m"(sig_off), "m"(last_coeff_ctx_base), - "i"(offsetof(CABACContext, bytestream)) + "i"(offsetof(CABACContext, bytestream)), + "i"(offsetof(CABACContext, bytestream_end)) : "%"REG_c, "memory" ); return coeff_count; -- 2.7.4