[FFmpeg-cvslog] smacker: Make sure we don't fill in huffman codes out of range

Martin Storsjö git at videolan.org
Tue Oct 8 00:46:12 CEST 2013


ffmpeg | branch: release/1.1 | Martin Storsjö <martin at martin.st> | Wed Sep 11 15:54:20 2013 +0300| [01a58b439d5f41ffa0b4324d1f6d7864ef4a2a45] | committer: Luca Barbato

smacker: Make sure we don't fill in huffman codes out of range

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
Signed-off-by: Martin Storsjö <martin at martin.st>
(cherry picked from commit 0679cec6e8802643bbe6d5f68ca1110a7d3171da)
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=01a58b439d5f41ffa0b4324d1f6d7864ef4a2a45
---

 libavcodec/smacker.c |    6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index a72d7c5..2baf059 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -257,6 +257,12 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
     if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
     if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
     if(ctx.last[2] == -1) ctx.last[2] = huff.current++;
+    if (ctx.last[0] >= huff.length ||
+        ctx.last[1] >= huff.length ||
+        ctx.last[2] >= huff.length) {
+        av_log(smk->avctx, AV_LOG_ERROR, "Huffman codes out of range\n");
+        err = AVERROR_INVALIDDATA;
+    }
 
     *recodes = huff.values;
 



More information about the ffmpeg-cvslog mailing list