[FFmpeg-cvslog] webp: ensure that each transform is only used once

Andreas Cadhalpun git at videolan.org
Sat Mar 21 02:30:09 CET 2015


ffmpeg | branch: release/2.5 | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Thu Mar  5 22:48:28 2015 +0100| [57c7922331d5f2c0999046845bd9bf24ac74c2b7] | committer: Michael Niedermayer

webp: ensure that each transform is only used once

According to the WebP Lossless Bitstream Specification
"each transform is allowed to be used only once".

If a transform is more than once this can lead to memory
corruption.

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit c089e720c1b753790c746a13053636d7facf6bf0)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=57c7922331d5f2c0999046845bd9bf24ac74c2b7
---

 libavcodec/webp.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/libavcodec/webp.c b/libavcodec/webp.c
index 4b1c8e7..802b03c 100644
--- a/libavcodec/webp.c
+++ b/libavcodec/webp.c
@@ -1099,7 +1099,7 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p,
                                      unsigned int data_size, int is_alpha_chunk)
 {
     WebPContext *s = avctx->priv_data;
-    int w, h, ret, i;
+    int w, h, ret, i, used;
 
     if (!is_alpha_chunk) {
         s->lossless = 1;
@@ -1149,8 +1149,16 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p,
     /* parse transformations */
     s->nb_transforms = 0;
     s->reduced_width = 0;
+    used = 0;
     while (get_bits1(&s->gb)) {
         enum TransformType transform = get_bits(&s->gb, 2);
+        if (used & (1 << transform)) {
+            av_log(avctx, AV_LOG_ERROR, "Transform %d used more than once\n",
+                   transform);
+            ret = AVERROR_INVALIDDATA;
+            goto free_and_return;
+        }
+        used |= (1 << transform);
         s->transforms[s->nb_transforms++] = transform;
         switch (transform) {
         case PREDICTOR_TRANSFORM:



More information about the ffmpeg-cvslog mailing list