[FFmpeg-devel] [PATCH] fix various bugs in lzw decoder

Reimar Döffinger Reimar.Doeffinger
Sun Jul 13 20:30:21 CEST 2008


Hello,
while working on issue 530 I found a whole load of problems with the
various lzw decoders (yes, it is long time to get rid of one of those,
but I won't do it ;-) ).
First, codesize must be _smaller_ than MAXBITS, since otherwise cursize
can be larger than MAXBITS and thus a code returned by get_code might
result in an access outside e.g. the prefix array.
It might be conceptually nicer to change SIZTABLE instead, no idea.
Also the GetCode in the gif demuxer does not handle eob_reached right.
I do not know how it is handled, but currently the pointer is
incremented forever as long as GetCode is called, far over the size of
the input buffer.
See attached patch for possible fixes.

Greetings,
Reimar D?ffinger
-------------- next part --------------
diff --git a/libavcodec/lzw.c b/libavcodec/lzw.c
index 207b807..7bdc89a 100644
--- a/libavcodec/lzw.c
+++ b/libavcodec/lzw.c
@@ -131,7 +131,7 @@ int ff_lzw_decode_init(LZWState *p, int csize, const uint8_t *buf, int buf_size,
 {
     struct LZWState *s = (struct LZWState *)p;
 
-    if(csize < 1 || csize > LZW_MAXBITS)
+    if(csize < 1 || csize >= LZW_MAXBITS)
         return -1;
     /* read buffer */
     s->pbuf = buf;
diff --git a/libavformat/gifdec.c b/libavformat/gifdec.c
index d1e80ae..0fdf04f 100644
--- a/libavformat/gifdec.c
+++ b/libavformat/gifdec.c
@@ -152,7 +152,7 @@ static void GLZWDecodeInit(GifState * s, int csize)
     s->bbits = 0;
 
     /* decoder */
-    s->codesize = csize;
+    s->codesize = FFMIN(csize, MAXBITS - 1);
     s->cursize = s->codesize + 1;
     s->curmask = mask[s->cursize];
     s->top_slot = 1 << s->cursize;
@@ -181,6 +181,9 @@ static inline int GetCode(GifState * s)
                 } else {
                     s->eob_reached = 1;
                 }
+            } else {
+                s->pbuf = s->ebuf = s->buf;
+                return 0;
             }
             ptr = s->pbuf;
         }



More information about the ffmpeg-devel mailing list