ffmpeg | branch: master | James Almer <jamr...@gmail.com> | Sun Nov 12 01:08:10 2017 -0300| [b3e5899e475d02dc0730e9405b4c067c8c78d8f4] | committer: James Almer
Merge commit 'cd4663dc80323ba64989d0c103d51ad3ee0e9c2f' * commit 'cd4663dc80323ba64989d0c103d51ad3ee0e9c2f': smacker: add sanity check for length in smacker_decode_tree() See b829da363985cb2f80130bba304cc29a632f6446 Merged-by: James Almer <jamr...@gmail.com> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b3e5899e475d02dc0730e9405b4c067c8c78d8f4 --- libavcodec/smacker.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index dad899c791..2077dde4a1 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -43,6 +43,7 @@ #define SMKTREE_BITS 9 #define SMK_NODE 0x80000000 +#define SMKTREE_DECODE_MAX_RECURSION 32 typedef struct SmackVContext { AVCodecContext *avctx; @@ -95,10 +96,11 @@ enum SmkBlockTypes { */ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t prefix, int length) { - if(length > 32 || length > 3*SMKTREE_BITS) { - av_log(NULL, AV_LOG_ERROR, "length too long\n"); + if (length > SMKTREE_DECODE_MAX_RECURSION || length > 3 * SMKTREE_BITS) { + av_log(NULL, AV_LOG_ERROR, "Maximum tree recursion level exceeded.\n"); return AVERROR_INVALIDDATA; } + if(!get_bits1(gb)){ //Leaf if(hc->current >= hc->length){ av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); ====================================================================== diff --cc libavcodec/smacker.c index dad899c791,7deccffa54..2077dde4a1 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@@ -42,7 -42,8 +42,8 @@@ #define SMKTREE_BITS 9 #define SMK_NODE 0x80000000 + + #define SMKTREE_DECODE_MAX_RECURSION 32 typedef struct SmackVContext { AVCodecContext *avctx; @@@ -93,14 -94,16 +94,15 @@@ enum SmkBlockTypes /** * Decode local frame tree */ -static int smacker_decode_tree(BitstreamContext *bc, HuffContext *hc, - uint32_t prefix, int length) +static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t prefix, int length) { - if(length > 32 || length > 3*SMKTREE_BITS) { - av_log(NULL, AV_LOG_ERROR, "length too long\n"); - if (length > SMKTREE_DECODE_MAX_RECURSION) { ++ if (length > SMKTREE_DECODE_MAX_RECURSION || length > 3 * SMKTREE_BITS) { + av_log(NULL, AV_LOG_ERROR, "Maximum tree recursion level exceeded.\n"); return AVERROR_INVALIDDATA; } + - if (!bitstream_read_bit(bc)) { // Leaf - if(hc->current >= 256){ + if(!get_bits1(gb)){ //Leaf + if(hc->current >= hc->length){ av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); return AVERROR_INVALIDDATA; } _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
