h264_cavlc: check the value of run_before

Section 9.2.3.2 of the spec implies that run_before must not be larger
than zeros_left.

Fixes invalid reads with corrupted files.

CC: libav-stable@libav.org
Bug-Id: 1000
Found-By: Kamil Frankowicz

1 files changed, 6 insertions, 2 deletions

diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index 9b950ede20..c11e211bd8 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -579,8 +579,10 @@ static int decode_residual(const H264Context *h, H264SliceContext *sl,
         for(i=1;i<total_coeff && zeros_left > 0;i++) { \
             if(zeros_left < 7) \
                 run_before= get_vlc2(gb, run_vlc[zeros_left - 1].table, RUN_VLC_BITS, 1); \
-            else \
+            else {\
                 run_before= get_vlc2(gb, run7_vlc.table, RUN7_VLC_BITS, 2); \
+                run_before = FFMIN(zeros_left, run_before);\
+            }\
             zeros_left -= run_before; \
             scantable -= 1 + run_before; \
             ((type*)block)[*scantable]= level[i]; \
@@ -594,8 +596,10 @@ static int decode_residual(const H264Context *h, H264SliceContext *sl,
         for(i=1;i<total_coeff && zeros_left > 0;i++) { \
             if(zeros_left < 7) \
                 run_before= get_vlc2(gb, run_vlc[zeros_left - 1].table, RUN_VLC_BITS, 1); \
-            else \
+            else {\
                 run_before= get_vlc2(gb, run7_vlc.table, RUN7_VLC_BITS, 2); \
+                run_before = FFMIN(zeros_left, run_before);\
+            }\
             zeros_left -= run_before; \
             scantable -= 1 + run_before; \
             ((type*)block)[*scantable]= ((int)(level[i] * qmul[*scantable] + 32))>>6; \