[FFmpeg-cvslog] smacker: Make sure we don't fill in huffman codes out of range
Martin Storsjö
git at videolan.org
Thu Jan 16 21:51:28 CET 2014
ffmpeg | branch: release/0.10 | Martin Storsjö <martin at martin.st> | Wed Sep 11 15:54:20 2013 +0300| [d5c104c1ae56060f273c202f103ba19f3f85bbcf] | committer: Luca Barbato
smacker: Make sure we don't fill in huffman codes out of range
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
Signed-off-by: Martin Storsjö <martin at martin.st>
(cherry picked from commit 0679cec6e8802643bbe6d5f68ca1110a7d3171da)
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d5c104c1ae56060f273c202f103ba19f3f85bbcf
---
libavcodec/smacker.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index e9192ff..e07fc37 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -263,6 +263,12 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
if(ctx.last[2] == -1) ctx.last[2] = huff.current++;
+ if (ctx.last[0] >= huff.length ||
+ ctx.last[1] >= huff.length ||
+ ctx.last[2] >= huff.length) {
+ av_log(smk->avctx, AV_LOG_ERROR, "Huffman codes out of range\n");
+ err = AVERROR_INVALIDDATA;
+ }
*recodes = huff.values;
More information about the ffmpeg-cvslog
mailing list