[FFmpeg-cvslog] r19346 - trunk/libavcodec/huffyuv.c

lorenm subversion
Sun Jul 5 01:59:11 CEST 2009


Author: lorenm
Date: Sun Jul  5 01:59:10 2009
New Revision: 19346

Log:
fix a buffer overrun on corrupt huffyuv streams

Modified:
   trunk/libavcodec/huffyuv.c

Modified: trunk/libavcodec/huffyuv.c
==============================================================================
--- trunk/libavcodec/huffyuv.c	Sat Jul  4 22:41:11 2009	(r19345)
+++ trunk/libavcodec/huffyuv.c	Sun Jul  5 01:59:10 2009	(r19346)
@@ -213,7 +213,7 @@ static inline void sub_left_prediction_b
     *blue=  src[(w-1)*4+B];
 }
 
-static void read_len_table(uint8_t *dst, GetBitContext *gb){
+static int read_len_table(uint8_t *dst, GetBitContext *gb){
     int i, val, repeat;
 
     for(i=0; i<256;){
@@ -222,9 +222,14 @@ static void read_len_table(uint8_t *dst,
         if(repeat==0)
             repeat= get_bits(gb, 8);
 //printf("%d %d\n", val, repeat);
+        if(i+repeat > 256) {
+            av_log(NULL, AV_LOG_ERROR, "Error reading huffman table\n");
+            return -1;
+        }
         while (repeat--)
             dst[i++] = val;
     }
+    return 0;
 }
 
 static int generate_bits_table(uint32_t *dst, uint8_t *len_table){
@@ -379,8 +384,8 @@ static int read_huffman_tables(HYuvConte
     init_get_bits(&gb, src, length*8);
 
     for(i=0; i<3; i++){
-        read_len_table(s->len[i], &gb);
-
+        if(read_len_table(s->len[i], &gb)<0)
+            return -1;
         if(generate_bits_table(s->bits[i], s->len[i])<0){
             return -1;
         }
@@ -404,9 +409,11 @@ static int read_old_huffman_tables(HYuvC
     int i;
 
     init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8);
-    read_len_table(s->len[0], &gb);
+    if(read_len_table(s->len[0], &gb)<0)
+        return -1;
     init_get_bits(&gb, classic_shift_chroma, sizeof(classic_shift_chroma)*8);
-    read_len_table(s->len[1], &gb);
+    if(read_len_table(s->len[1], &gb)<0)
+        return -1;
 
     for(i=0; i<256; i++) s->bits[0][i] = classic_add_luma  [i];
     for(i=0; i<256; i++) s->bits[1][i] = classic_add_chroma[i];



More information about the ffmpeg-cvslog mailing list