ffmpeg | branch: master | James Almer <jamr...@gmail.com> | Sun Nov 12 01:13:07 2017 -0300| [d2ad6f11920e972d0ef53121f74d9e25a3eb4304] | committer: James Almer
Merge commit '0ccddbad200c1d9439c5a836501917d515cddf76' * commit '0ccddbad200c1d9439c5a836501917d515cddf76': smacker: limit recursion depth of smacker_decode_bigtree See 946ecd19ea752399bccc751c9339ff74b815587e Merged-by: James Almer <jamr...@gmail.com> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d2ad6f11920e972d0ef53121f74d9e25a3eb4304 --- libavcodec/smacker.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 2077dde4a1..61e316916b 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -44,6 +44,7 @@ #define SMK_NODE 0x80000000 #define SMKTREE_DECODE_MAX_RECURSION 32 +#define SMKTREE_DECODE_BIG_MAX_RECURSION 500 typedef struct SmackVContext { AVCodecContext *avctx; @@ -131,12 +132,15 @@ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t pref /** * Decode header tree */ -static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx, int length) +static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, + DBCtx *ctx, int length) { - if(length > 500) { // Larger length can cause segmentation faults due to too deep recursion. - av_log(NULL, AV_LOG_ERROR, "length too long\n"); + // Larger length can cause segmentation faults due to too deep recursion. + if (length > SMKTREE_DECODE_BIG_MAX_RECURSION) { + av_log(NULL, AV_LOG_ERROR, "Maximum bigtree recursion level exceeded.\n"); return AVERROR_INVALIDDATA; } + if (hc->current + 1 >= hc->length) { av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); return AVERROR_INVALIDDATA; ====================================================================== diff --cc libavcodec/smacker.c index 2077dde4a1,636e3b48e3..61e316916b --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@@ -42,8 -42,9 +42,9 @@@ #define SMKTREE_BITS 9 #define SMK_NODE 0x80000000 + #define SMKTREE_DECODE_MAX_RECURSION 32 + #define SMKTREE_DECODE_BIG_MAX_RECURSION 500 typedef struct SmackVContext { AVCodecContext *avctx; @@@ -131,12 -133,15 +132,15 @@@ static int smacker_decode_tree(GetBitCo /** * Decode header tree */ - static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx, int length) -static int smacker_decode_bigtree(BitstreamContext *bc, HuffContext *hc, ++static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, + DBCtx *ctx, int length) { - if(length > 500) { // Larger length can cause segmentation faults due to too deep recursion. - av_log(NULL, AV_LOG_ERROR, "length too long\n"); + // Larger length can cause segmentation faults due to too deep recursion. + if (length > SMKTREE_DECODE_BIG_MAX_RECURSION) { + av_log(NULL, AV_LOG_ERROR, "Maximum bigtree recursion level exceeded.\n"); return AVERROR_INVALIDDATA; } + if (hc->current + 1 >= hc->length) { av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); return AVERROR_INVALIDDATA; _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
