[FFmpeg-cvslog] avcodec/rangecoder: Check e
Michael Niedermayer
git at videolan.org
Thu Nov 19 11:27:53 CET 2015
ffmpeg | branch: release/2.6 | Michael Niedermayer <michael at niedermayer.cc> | Fri Sep 25 14:26:14 2015 +0200| [e77ad4b06954f7958942b42f8163dc1d9fdabebf] | committer: Michael Niedermayer
avcodec/rangecoder: Check e
Fixes hang.nut
Found-by: Paul B Mahol <onemda at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit b2955b6c5aed11026ec5c7164462899a10cdb937)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e77ad4b06954f7958942b42f8163dc1d9fdabebf
---
libavcodec/ffv1dec.c | 5 ++++-
libavcodec/snow.h | 2 ++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 55be6de..f89776d 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -47,8 +47,11 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state,
else {
int i, e, a;
e = 0;
- while (get_rac(c, state + 1 + FFMIN(e, 9))) // 1..10
+ while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10
e++;
+ if (e > 31)
+ return AVERROR_INVALIDDATA;
+ }
a = 1;
for (i = e - 1; i >= 0; i--)
diff --git a/libavcodec/snow.h b/libavcodec/snow.h
index 6dbcaf3..51623d6 100644
--- a/libavcodec/snow.h
+++ b/libavcodec/snow.h
@@ -562,6 +562,8 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state, int is_signed){
e= 0;
while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10
e++;
+ if (e > 31)
+ return AVERROR_INVALIDDATA;
}
a= 1;
More information about the ffmpeg-cvslog
mailing list