cabac: add overread protection to BRANCHLESS_GET_CABAC().

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
author: Ronald S. Bultje <rsbultje@gmail.com> 2012-03-17 09:09:41 -0700
committer: Ronald S. Bultje <rsbultje@gmail.com> 2012-03-28 08:01:29 -0700
commit: a940198130de3ab0c50d832bf7a27a70cfed11cc (patch)
tree: ec959578744fd2f2bfdb006dae39669f497a1547 /libavcodec/x86/h264_i386.h
parent: 448dc42571edc5bc91da7b0b017daa61118ba2f5 (diff)
1 files changed, 12 insertions, 6 deletions
diff --git a/libavcodec/x86/h264_i386.h b/libavcodec/x86/h264_i386.h
index 31ddaf6ee9..e849a3d90c 100644
--- a/libavcodec/x86/h264_i386.h
+++ b/libavcodec/x86/h264_i386.h
@@ -49,14 +49,16 @@ static int decode_significance_x86(CABACContext *c, int max_coeff,
         "3:                                     \n\t"
 
         BRANCHLESS_GET_CABAC("%4", "(%1)", "%3", "%w3",
-                             "%5", "%k0", "%b0", "%a11(%6)")
+                             "%5", "%k0", "%b0",
+                             "%a11(%6)", "%a12(%6)")
 
         "test $1, %4                            \n\t"
         " jz 4f                                 \n\t"
         "add  %10, %1                           \n\t"
 
         BRANCHLESS_GET_CABAC("%4", "(%1)", "%3", "%w3",
-                             "%5", "%k0", "%b0", "%a11(%6)")
+                             "%5", "%k0", "%b0",
+                             "%a11(%6)", "%a12(%6)")
 
         "sub  %10, %1                           \n\t"
         "mov  %2, %0                            \n\t"
@@ -83,7 +85,8 @@ static int decode_significance_x86(CABACContext *c, int max_coeff,
         : "=&q"(coeff_count), "+r"(significant_coeff_ctx_base), "+m"(index),
           "+&r"(c->low), "=&r"(bit), "+&r"(c->range)
         : "r"(c), "m"(minusstart), "m"(end), "m"(minusindex), "m"(last_off),
-          "i"(offsetof(CABACContext, bytestream))
+          "i"(offsetof(CABACContext, bytestream)),
+          "i"(offsetof(CABACContext, bytestream_end))
         : "%"REG_c, "memory"
     );
     return coeff_count;
@@ -106,7 +109,8 @@ static int decode_significance_8x8_x86(CABACContext *c,
         "add %9, %6                             \n\t"
 
         BRANCHLESS_GET_CABAC("%4", "(%6)", "%3", "%w3",
-                             "%5", "%k0", "%b0", "%a12(%7)")
+                             "%5", "%k0", "%b0",
+                             "%a12(%7)", "%a13(%7)")
 
         "mov %1, %k6                            \n\t"
         "test $1, %4                            \n\t"
@@ -116,7 +120,8 @@ static int decode_significance_8x8_x86(CABACContext *c,
         "add %11, %6                            \n\t"
 
         BRANCHLESS_GET_CABAC("%4", "(%6)", "%3", "%w3",
-                             "%5", "%k0", "%b0", "%a12(%7)")
+                             "%5", "%k0", "%b0",
+                             "%a12(%7)", "%a13(%7)")
 
         "mov %2, %0                             \n\t"
         "mov %1, %k6                            \n\t"
@@ -141,7 +146,8 @@ static int decode_significance_8x8_x86(CABACContext *c,
           "=&r"(bit), "+&r"(c->range), "=&r"(state)
         : "r"(c), "m"(minusindex), "m"(significant_coeff_ctx_base),
           "m"(sig_off), "m"(last_coeff_ctx_base),
-          "i"(offsetof(CABACContext, bytestream))
+          "i"(offsetof(CABACContext, bytestream)),
+          "i"(offsetof(CABACContext, bytestream_end))
         : "%"REG_c, "memory"
     );
     return coeff_count;
author	Ronald S. Bultje <rsbultje@gmail.com>	2012-03-17 09:09:41 -0700
committer	Ronald S. Bultje <rsbultje@gmail.com>	2012-03-28 08:01:29 -0700
commit	a940198130de3ab0c50d832bf7a27a70cfed11cc (patch)
tree	ec959578744fd2f2bfdb006dae39669f497a1547 /libavcodec/x86/h264_i386.h
parent	448dc42571edc5bc91da7b0b017daa61118ba2f5 (diff)