[FFmpeg-cvslog] webp: validate the distance prefix code

Andreas Cadhalpun git at videolan.org
Mon Mar 9 13:25:59 CET 2015


ffmpeg | branch: release/2.2 | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Mon Mar  2 20:47:57 2015 +0100| [61c966ef30129a0e4dba485242c039a895914d33] | committer: Vittorio Giovara

webp: validate the distance prefix code

According to the WebP Lossless Bitstream Specification the highest
allowed value for a prefix code is 39.

If prefix_code is too large, the calculated extra_bits has an invalid
value and triggers an assertion in get_bits.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
Signed-off-by: Anton Khirnov <anton at khirnov.net>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=61c966ef30129a0e4dba485242c039a895914d33
---

 libavcodec/webp.c |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/webp.c b/libavcodec/webp.c
index f9f8bfc..7153c75 100644
--- a/libavcodec/webp.c
+++ b/libavcodec/webp.c
@@ -684,6 +684,11 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role,
                 length = offset + get_bits(&s->gb, extra_bits) + 1;
             }
             prefix_code = huff_reader_get_symbol(&hg[HUFF_IDX_DIST], &s->gb);
+            if (prefix_code > 39) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                       "distance prefix code too large: %d\n", prefix_code);
+                return AVERROR_INVALIDDATA;
+            }
             if (prefix_code < 4) {
                 distance = prefix_code + 1;
             } else {



More information about the ffmpeg-cvslog mailing list