[FFmpeg-cvslog] webp: ensure that each transform is only used once
Andreas Cadhalpun
git at videolan.org
Fri Mar 20 02:08:13 CET 2015
ffmpeg | branch: master | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Thu Mar 5 22:48:28 2015 +0100| [30e6abd1a8cc4fd5daf2e23ad2e768862c39e975] | committer: Anton Khirnov
webp: ensure that each transform is only used once
According to the WebP Lossless Bitstream Specification
"each transform is allowed to be used only once".
If a transform is more than once this can lead to memory
corruption.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
Signed-off-by: Anton Khirnov <anton at khirnov.net>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=30e6abd1a8cc4fd5daf2e23ad2e768862c39e975
---
libavcodec/webp.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/libavcodec/webp.c b/libavcodec/webp.c
index 58f7810..62f35f7 100644
--- a/libavcodec/webp.c
+++ b/libavcodec/webp.c
@@ -1081,7 +1081,7 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p,
unsigned int data_size, int is_alpha_chunk)
{
WebPContext *s = avctx->priv_data;
- int w, h, ret, i;
+ int w, h, ret, i, used;
if (!is_alpha_chunk) {
s->lossless = 1;
@@ -1131,9 +1131,17 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p,
/* parse transformations */
s->nb_transforms = 0;
s->reduced_width = 0;
+ used = 0;
while (get_bits1(&s->gb)) {
enum TransformType transform = get_bits(&s->gb, 2);
s->transforms[s->nb_transforms++] = transform;
+ if (used & (1 << transform)) {
+ av_log(avctx, AV_LOG_ERROR, "Transform %d used more than once\n",
+ transform);
+ ret = AVERROR_INVALIDDATA;
+ goto free_and_return;
+ }
+ used |= (1 << transform);
switch (transform) {
case PREDICTOR_TRANSFORM:
ret = parse_transform_predictor(s);
More information about the ffmpeg-cvslog
mailing list