avcodec/h263: Fix global-buffer-overflow with noout flag2 set

h263_get_motion_length() forgot to take an absolute value; as a consequence, a negative index was used to access an array. This leads to potential crashes, but mostly it just accesses what is to the left of ff_mvtab (unless one uses ASAN), thereby defeating the purpose of the AV_CODEC_FLAG2_NO_OUTPUT because the sizes of the returned packets differ from the sizes the encoder would actually have produced. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
author: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> 2021-11-21 03:57:41 +0300
committer: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> 2021-11-26 18:10:24 +0300
commit: 9207dc3b0db368bb9cf5eb295cbc1129c2975e31 (patch)
tree: f376437d667aa5563ae54f9acca6ad8e8de79a62 /libavcodec/h263.h
parent: 27c930002702f512b80124249c5efbcc0ef04841 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/libavcodec/h263.h b/libavcodec/h263.h
index 70fd1ffdc0..d6bef8318d 100644
--- a/libavcodec/h263.h
+++ b/libavcodec/h263.h
@@ -100,15 +100,16 @@ void ff_h263_encode_motion(PutBitContext *pb, int val, int f_code);
 
 
 static inline int h263_get_motion_length(int val, int f_code){
-    int l, bit_size, code;
+    int bit_size, code, sign;
 
     if (val == 0) {
         return 1; /* ff_mvtab[0][1] */
     } else {
         bit_size = f_code - 1;
         /* modulo encoding */
-        l= INT_BIT - 6 - bit_size;
-        val = (val<<l)>>l;
+        val  = sign_extend(val, 6 + bit_size);
+        sign = val >> 31;
+        val  = (val ^ sign) - sign; /* val = FFABS(val) */
         val--;
         code = (val >> bit_size) + 1;
author	Andreas Rheinhardt <andreas.rheinhardt@outlook.com>	2021-11-21 03:57:41 +0300
committer	Andreas Rheinhardt <andreas.rheinhardt@outlook.com>	2021-11-26 18:10:24 +0300
commit	9207dc3b0db368bb9cf5eb295cbc1129c2975e31 (patch)
tree	f376437d667aa5563ae54f9acca6ad8e8de79a62 /libavcodec/h263.h
parent	27c930002702f512b80124249c5efbcc0ef04841 (diff)