From c84d42f86499b0b2af2f57a97ec8ca30529817b5 Mon Sep 17 00:00:00 2001 From: Attila Nagy Date: Wed, 9 Nov 2011 14:44:31 +0200 Subject: [PATCH] Validate encoder buffer writes for single token partition Extend buffer write validation (overflow check) to single token partition packing, both mb and row based functions. Change-Id: I36e19b7d37fc43712d05c70e3ad223d3eb5b973d --- vp8/encoder/bitstream.c | 35 +++++++++++++++++++++++++++++++++++ vp8/encoder/onyx_if.c | 8 +++++--- 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/vp8/encoder/bitstream.c b/vp8/encoder/bitstream.c index 748b60778..e02eaa50d 100644 --- a/vp8/encoder/bitstream.c +++ b/vp8/encoder/bitstream.c @@ -221,6 +221,11 @@ static void pack_tokens_c(vp8_writer *w, const TOKENEXTRA *p, int xcount) w->buffer[x] += 1; } + validate_buffer(w->buffer + w->pos, + 1, + w->buffer_end, + w->error); + w->buffer[w->pos++] = (lowvalue >> (24 - offset)); lowvalue <<= offset; shift = count; @@ -281,6 +286,11 @@ static void pack_tokens_c(vp8_writer *w, const TOKENEXTRA *p, int xcount) w->buffer[x] += 1; } + validate_buffer(w->buffer + w->pos, + 1, + w->buffer_end, + w->error); + w->buffer[w->pos++] = (lowvalue >> (24 - offset)); lowvalue <<= offset; shift = count; @@ -329,6 +339,12 @@ static void pack_tokens_c(vp8_writer *w, const TOKENEXTRA *p, int xcount) if (!++count) { count = -8; + + validate_buffer(w->buffer + w->pos, + 1, + w->buffer_end, + w->error); + w->buffer[w->pos++] = (lowvalue >> 24); lowvalue &= 0xffffff; } @@ -664,6 +680,11 @@ static void pack_mb_row_tokens_c(VP8_COMP *cpi, vp8_writer *w) w->buffer[x] += 1; } + validate_buffer(w->buffer + w->pos, + 1, + w->buffer_end, + w->error); + w->buffer[w->pos++] = (lowvalue >> (24 - offset)); lowvalue <<= offset; shift = count; @@ -724,6 +745,11 @@ static void pack_mb_row_tokens_c(VP8_COMP *cpi, vp8_writer *w) w->buffer[x] += 1; } + validate_buffer(w->buffer + w->pos, + 1, + w->buffer_end, + w->error); + w->buffer[w->pos++] = (lowvalue >> (24 - offset)); lowvalue <<= offset; shift = count; @@ -770,6 +796,12 @@ static void pack_mb_row_tokens_c(VP8_COMP *cpi, vp8_writer *w) if (!++count) { count = -8; + + validate_buffer(w->buffer + w->pos, + 1, + w->buffer_end, + w->error); + w->buffer[w->pos++] = (lowvalue >> 24); lowvalue &= 0xffffff; } @@ -1566,6 +1598,9 @@ void vp8_pack_bitstream(VP8_COMP *cpi, unsigned char *dest, unsigned char * dest mb_feature_data_bits = vp8_mb_feature_data_bits; + cpi->bc.error = &pc->error; + cpi->bc2.error = &pc->error; + validate_buffer(cx_data, 3, cx_data_end, &cpi->common.error); cx_data += 3; diff --git a/vp8/encoder/onyx_if.c b/vp8/encoder/onyx_if.c index 6a51cdacc..50278fe6e 100644 --- a/vp8/encoder/onyx_if.c +++ b/vp8/encoder/onyx_if.c @@ -4940,7 +4940,7 @@ int vp8_get_compressed_data(VP8_PTR ptr, unsigned int *frame_flags, unsigned lon int64_t store_reg[8]; #endif VP8_COMP *cpi = (VP8_COMP *) ptr; - VP8_COMMON *cm = &cpi->common; + VP8_COMMON *cm; struct vpx_usec_timer tsctimer; struct vpx_usec_timer ticktimer; struct vpx_usec_timer cmptimer; @@ -4949,12 +4949,14 @@ int vp8_get_compressed_data(VP8_PTR ptr, unsigned int *frame_flags, unsigned lon if (!cpi) return -1; - if (setjmp(cpi->common.error.jmp)){ + cm = &cpi->common; + + if (setjmp(cpi->common.error.jmp)) + { cpi->common.error.setjmp = 0; return VPX_CODEC_CORRUPT_FRAME; } - cpi->bc.error = &cpi->common.error; cpi->common.error.setjmp = 1; #if HAVE_ARMV7 -- 2.40.0