[FFmpeg-devel] [PATCH] smacker: limit recursion depth of smacker_decode_bigtree

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Sun Nov 20 01:44:21 EET 2016


On 19.11.2016 23:34, Michael Niedermayer wrote:
> On Sat, Nov 19, 2016 at 05:27:19PM +0100, Andreas Cadhalpun wrote:
>> diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
>> index b8a0c55..be3914b 100644
>> --- a/libavcodec/smacker.c
>> +++ b/libavcodec/smacker.c
>> @@ -129,8 +129,12 @@ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t pref
>>  /**
>>   * Decode header tree
>>   */
>> -static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx)
>> +static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx, int length)
>>  {
>> +    if(length > 5000) { // Larger length can cause segmentation faults due to too deep recursion.
>> +        av_log(NULL, AV_LOG_ERROR, "length too long\n");
>> +        return AVERROR_INVALIDDATA;
>> +    }
> 
> are you sure this is not too large for some platforms ?

I don't think it's even possible to make this small enough for all cases,
as the stack size can be arbitrarily changed with 'ulimit -s'.

This value was chosen so that it works with the default stack size of 8 MB,
but if you think that's too much, it can be made smaller.

Attached is a variant reducing the 5000 to 500 and thus still working
with a stack size of only 0.8 MB.

Best regards,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-smacker-limit-recursion-depth-of-smacker_decode_bigt.patch
Type: text/x-diff
Size: 2207 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20161120/97766b59/attachment.patch>


More information about the ffmpeg-devel mailing list