cabac: add overread protection to BRANCHLESS_GET_CABAC().

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
author: Ronald S. Bultje <rsbultje@gmail.com> 2012-03-17 09:09:41 -0700
committer: Ronald S. Bultje <rsbultje@gmail.com> 2012-03-28 08:01:29 -0700
commit: a940198130de3ab0c50d832bf7a27a70cfed11cc (patch)
tree: ec959578744fd2f2bfdb006dae39669f497a1547 /libavcodec/x86/cabac.h
parent: 448dc42571edc5bc91da7b0b017daa61118ba2f5 (diff)
1 files changed, 10 insertions, 5 deletions
diff --git a/libavcodec/x86/cabac.h b/libavcodec/x86/cabac.h
index ca8a1d5b5f..a6ec22831d 100644
--- a/libavcodec/x86/cabac.h
+++ b/libavcodec/x86/cabac.h
@@ -51,7 +51,7 @@
         "xor    "tmp"       , "ret"     \n\t"
 #endif /* HAVE_FAST_CMOV */
 
-#define BRANCHLESS_GET_CABAC(ret, statep, low, lowword, range, tmp, tmpbyte, byte) \
+#define BRANCHLESS_GET_CABAC(ret, statep, low, lowword, range, tmp, tmpbyte, byte, end) \
         "movzbl "statep"    , "ret"                                     \n\t"\
         "mov    "range"     , "tmp"                                     \n\t"\
         "and    $0xC0       , "range"                                   \n\t"\
@@ -64,9 +64,12 @@
         "shl    %%cl        , "low"                                     \n\t"\
         "mov    "tmpbyte"   , "statep"                                  \n\t"\
         "test   "lowword"   , "lowword"                                 \n\t"\
-        " jnz   1f                                                      \n\t"\
+        " jnz   2f                                                      \n\t"\
         "mov    "byte"      , %%"REG_c"                                 \n\t"\
+        "cmp    "end"       , %%"REG_c"                                 \n\t"\
+        "jge    1f                                                      \n\t"\
         "add"OPSIZE" $2     , "byte"                                    \n\t"\
+        "1:                                                             \n\t"\
         "movzwl (%%"REG_c")     , "tmp"                                 \n\t"\
         "lea    -1("low")   , %%ecx                                     \n\t"\
         "xor    "low"       , %%ecx                                     \n\t"\
@@ -79,7 +82,7 @@
         "add    $7          , %%ecx                                     \n\t"\
         "shl    %%cl        , "tmp"                                     \n\t"\
         "add    "tmp"       , "low"                                     \n\t"\
-        "1:                                                             \n\t"
+        "2:                                                             \n\t"
 
 #if HAVE_7REGS && !defined(BROKEN_RELOCATIONS)
 #define get_cabac_inline get_cabac_inline_x86
@@ -90,10 +93,12 @@ static av_always_inline int get_cabac_inline_x86(CABACContext *c,
 
     __asm__ volatile(
         BRANCHLESS_GET_CABAC("%0", "(%4)", "%1", "%w1",
-                             "%2", "%3", "%b3", "%a6(%5)")
+                             "%2", "%3", "%b3",
+                             "%a6(%5)", "%a7(%5)")
         : "=&r"(bit), "+&r"(c->low), "+&r"(c->range), "=&q"(tmp)
         : "r"(state), "r"(c),
-          "i"(offsetof(CABACContext, bytestream))
+          "i"(offsetof(CABACContext, bytestream)),
+          "i"(offsetof(CABACContext, bytestream_end))
         : "%"REG_c, "memory"
     );
     return bit & 1;
author	Ronald S. Bultje <rsbultje@gmail.com>	2012-03-17 09:09:41 -0700
committer	Ronald S. Bultje <rsbultje@gmail.com>	2012-03-28 08:01:29 -0700
commit	a940198130de3ab0c50d832bf7a27a70cfed11cc (patch)
tree	ec959578744fd2f2bfdb006dae39669f497a1547 /libavcodec/x86/cabac.h
parent	448dc42571edc5bc91da7b0b017daa61118ba2f5 (diff)