Merge pull request #2171 from HaiboZhu/Bugfix_entropy_decoding_upper_check_v1.5

HaiboZhu · HaiboZhu · commit 9e1f1790e3b5 · 2015-10-19T16:31:26.000+08:00
Add protection for unsigned int output for openh264v1.5
diff --git a/codec/decoder/core/inc/dec_golomb.h b/codec/decoder/core/inc/dec_golomb.h
@@ -179,7 +179,7 @@ static inline uint32_t BsGetUe (PBitStringAux pBs, uint32_t* pCode) {
     DUMP_BITS (pBs->uiCurBits, pBs->pCurBuf, pBs->iLeftBits, iLeadingZeroBits, iAllowedBytes, iReadBytes);
   }
 
-  *pCode = ((1 << iLeadingZeroBits) - 1 + iValue);
+  *pCode = ((1u << iLeadingZeroBits) - 1 + iValue);
   return ERR_NONE;
 }
 
diff --git a/codec/decoder/core/src/cabac_decoder.cpp b/codec/decoder/core/src/cabac_decoder.cpp
@@ -273,8 +273,8 @@ int32_t DecodeExpBypassCabac (PWelsCabacDecEngine pDecEngine, int32_t iCount, ui
       iSymTmp += (1 << iCount);
       ++iCount;
     }
-  } while (uiCode != 0 && iCount != 31);
-  if (iCount == 31) {
+  } while (uiCode != 0 && iCount != 16);
+  if (iCount == 16) {
     return ERR_CABAC_UNEXPECTED_VALUE;
   }
 
diff --git a/codec/decoder/core/src/decoder_core.cpp b/codec/decoder/core/src/decoder_core.cpp
@@ -389,25 +389,25 @@ int32_t ParseDecRefPicMarking (PWelsDecoderContext pCtx, PBitStringAux pBs, PSli
       int32_t iIdx = 0;
       do {
         WELS_READ_VERIFY (BsGetUe (pBs, &uiCode)); //memory_management_control_operation
-        const int32_t kiMmco = uiCode;
+        const uint32_t kuiMmco = uiCode;
 
-        kpRefMarking->sMmcoRef[iIdx].uiMmcoType = kiMmco;
-        if (kiMmco == MMCO_END)
+        kpRefMarking->sMmcoRef[iIdx].uiMmcoType = kuiMmco;
+        if (kuiMmco == MMCO_END)
           break;
 
-        if (kiMmco == MMCO_SHORT2UNUSED || kiMmco == MMCO_SHORT2LONG) {
+        if (kuiMmco == MMCO_SHORT2UNUSED || kuiMmco == MMCO_SHORT2LONG) {
           WELS_READ_VERIFY (BsGetUe (pBs, &uiCode)); //difference_of_pic_nums_minus1
           kpRefMarking->sMmcoRef[iIdx].iDiffOfPicNum = 1 + uiCode;
           kpRefMarking->sMmcoRef[iIdx].iShortFrameNum = (pSh->iFrameNum - kpRefMarking->sMmcoRef[iIdx].iDiffOfPicNum) & ((
                 1 << pSps->uiLog2MaxFrameNum) - 1);
-        } else if (kiMmco == MMCO_LONG2UNUSED) {
+        } else if (kuiMmco == MMCO_LONG2UNUSED) {
           WELS_READ_VERIFY (BsGetUe (pBs, &uiCode)); //long_term_pic_num
           kpRefMarking->sMmcoRef[iIdx].uiLongTermPicNum = uiCode;
         }
-        if (kiMmco == MMCO_SHORT2LONG || kiMmco == MMCO_LONG) {
+        if (kuiMmco == MMCO_SHORT2LONG || kuiMmco == MMCO_LONG) {
           WELS_READ_VERIFY (BsGetUe (pBs, &uiCode)); //long_term_frame_idx
           kpRefMarking->sMmcoRef[iIdx].iLongTermFrameIdx = uiCode;
-        } else if (kiMmco == MMCO_SET_MAX_LONG) {
+        } else if (kuiMmco == MMCO_SET_MAX_LONG) {
           WELS_READ_VERIFY (BsGetUe (pBs, &uiCode)); //max_long_term_frame_idx_plus1
           kpRefMarking->sMmcoRef[iIdx].iMaxLongTermFrameIdx = -1 + uiCode;
         }
@@ -690,6 +690,8 @@ int32_t ParseSliceHeaderSyntaxs (PWelsDecoderContext pCtx, PBitStringAux pBs, co
 
   // first_mb_in_slice
   WELS_READ_VERIFY (BsGetUe (pBs, &uiCode)); //first_mb_in_slice
+  WELS_CHECK_SE_UPPER_ERROR (uiCode, 36863u, "first_mb_in_slice", GENERATE_ERROR_NO (ERR_LEVEL_SLICE_HEADER,
+                             ERR_INFO_INVALID_FIRST_MB_IN_SLICE));
   pSliceHead->iFirstMbInSlice = uiCode;
 
   WELS_READ_VERIFY (BsGetUe (pBs, &uiCode)); //slice_type
@@ -721,13 +723,10 @@ int32_t ParseSliceHeaderSyntaxs (PWelsDecoderContext pCtx, PBitStringAux pBs, co
   pSliceHead->eSliceType = static_cast <EWelsSliceType> (uiSliceType);
 
   WELS_READ_VERIFY (BsGetUe (pBs, &uiCode)); //pic_parameter_set_id
+  WELS_CHECK_SE_UPPER_ERROR (uiCode, MAX_PPS_COUNT, "iPpsId out of range", GENERATE_ERROR_NO (ERR_LEVEL_SLICE_HEADER,
+                             ERR_INFO_PPS_ID_OVERFLOW));
   iPpsId = uiCode;
 
-  if (iPpsId >= MAX_PPS_COUNT) {
-    WelsLog (pLogCtx, WELS_LOG_WARNING, "iPpsId out of range");
-    return GENERATE_ERROR_NO (ERR_LEVEL_SLICE_HEADER, ERR_INFO_PPS_ID_OVERFLOW);
-  }
-
   //add check PPS available here
   if (pCtx->bPpsAvailFlags[iPpsId] == false) {
     pCtx->sDecoderStatistics.iPpsReportErrorNum++;
@@ -939,9 +938,8 @@ int32_t ParseSliceHeaderSyntaxs (PWelsDecoderContext pCtx, PBitStringAux pBs, co
   if (pPps->bEntropyCodingModeFlag) {
     if (pSliceHead->eSliceType != I_SLICE && pSliceHead->eSliceType != SI_SLICE) {
       WELS_READ_VERIFY (BsGetUe (pBs, &uiCode));
+      WELS_CHECK_SE_UPPER_ERROR (uiCode, SLICE_HEADER_CABAC_INIT_IDC_MAX, "cabac_init_idc", ERR_INFO_INVALID_CABAC_INIT_IDC);
       pSliceHead->iCabacInitIdc = uiCode;
-      WELS_CHECK_SE_UPPER_ERROR (pSliceHead->iCabacInitIdc, SLICE_HEADER_CABAC_INIT_IDC_MAX, "cabac_init_idc",
-                                 ERR_INFO_INVALID_CABAC_INIT_IDC);
     } else
       pSliceHead->iCabacInitIdc = 0;
   }

Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,7 @@ static inline uint32_t BsGetUe (PBitStringAux pBs, uint32_t* pCode) {`
`179`	`179`	`DUMP_BITS (pBs->uiCurBits, pBs->pCurBuf, pBs->iLeftBits, iLeadingZeroBits, iAllowedBytes, iReadBytes);`
`180`	`180`	`}`
`181`	`181`
`182`		`- *pCode = ((1 << iLeadingZeroBits) - 1 + iValue);`
	`182`	`+ *pCode = ((1u << iLeadingZeroBits) - 1 + iValue);`
`183`	`183`	`return ERR_NONE;`
`184`	`184`	`}`
`185`	`185`
Original file line number	Diff line number	Diff line change
`@@ -273,8 +273,8 @@ int32_t DecodeExpBypassCabac (PWelsCabacDecEngine pDecEngine, int32_t iCount, ui`
`273`	`273`	`iSymTmp += (1 << iCount);`
`274`	`274`	`++iCount;`
`275`	`275`	`}`
`276`		`- } while (uiCode != 0 && iCount != 31);`
`277`		`- if (iCount == 31) {`
	`276`	`+ } while (uiCode != 0 && iCount != 16);`
	`277`	`+ if (iCount == 16) {`
`278`	`278`	`return ERR_CABAC_UNEXPECTED_VALUE;`
`279`	`279`	`}`
`280`	`280`