avcodec/cabac: Check initial cabac decoder state

Fixes integer overflows Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2015-11-27 13:37:50 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2015-11-27 13:52:47 +0100
commit: 8000d484b83aafa752d84fbdbfb352ffe0dc64f8 (patch)
tree: a7872c85e8a811fc9abe6997765e20b8bcf8b511 /libavcodec/cabac.c
parent: a1f6b05f5228979dab0e149deca7a30d22e98af5 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c
index 598c942798..5bf5bc284e 100644
--- a/libavcodec/cabac.c
+++ b/libavcodec/cabac.c
@@ -175,7 +175,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size){
  *
  * @param buf_size size of buf in bits
  */
-void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){
+int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){
     c->bytestream_start=
     c->bytestream= buf;
     c->bytestream_end= buf + buf_size;
@@ -188,6 +188,9 @@ void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){
 #endif
     c->low+= ((*c->bytestream++)<<2) + 2;
     c->range= 0x1FE;
+    if ((c->range<<(CABAC_BITS+1)) < c->low)
+        return AVERROR_INVALIDDATA;
+    return 0;
 }
 
 #ifdef TEST
author	Michael Niedermayer <michael@niedermayer.cc>	2015-11-27 13:37:50 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2015-11-27 13:52:47 +0100
commit	8000d484b83aafa752d84fbdbfb352ffe0dc64f8 (patch)
tree	a7872c85e8a811fc9abe6997765e20b8bcf8b511 /libavcodec/cabac.c
parent	a1f6b05f5228979dab0e149deca7a30d22e98af5 (diff)