[FFmpeg-cvslog] Merge commit 'cd4663dc80323ba64989d0c103d51ad3ee0e9c2f'
James Almer
git at videolan.org
Sun Nov 12 06:14:04 EET 2017
ffmpeg | branch: master | James Almer <jamrial at gmail.com> | Sun Nov 12 01:08:10 2017 -0300| [b3e5899e475d02dc0730e9405b4c067c8c78d8f4] | committer: James Almer
Merge commit 'cd4663dc80323ba64989d0c103d51ad3ee0e9c2f'
* commit 'cd4663dc80323ba64989d0c103d51ad3ee0e9c2f':
smacker: add sanity check for length in smacker_decode_tree()
See b829da363985cb2f80130bba304cc29a632f6446
Merged-by: James Almer <jamrial at gmail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b3e5899e475d02dc0730e9405b4c067c8c78d8f4
---
libavcodec/smacker.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index dad899c791..2077dde4a1 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -43,6 +43,7 @@
#define SMKTREE_BITS 9
#define SMK_NODE 0x80000000
+#define SMKTREE_DECODE_MAX_RECURSION 32
typedef struct SmackVContext {
AVCodecContext *avctx;
@@ -95,10 +96,11 @@ enum SmkBlockTypes {
*/
static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t prefix, int length)
{
- if(length > 32 || length > 3*SMKTREE_BITS) {
- av_log(NULL, AV_LOG_ERROR, "length too long\n");
+ if (length > SMKTREE_DECODE_MAX_RECURSION || length > 3 * SMKTREE_BITS) {
+ av_log(NULL, AV_LOG_ERROR, "Maximum tree recursion level exceeded.\n");
return AVERROR_INVALIDDATA;
}
+
if(!get_bits1(gb)){ //Leaf
if(hc->current >= hc->length){
av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
======================================================================
diff --cc libavcodec/smacker.c
index dad899c791,7deccffa54..2077dde4a1
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@@ -42,7 -42,8 +42,8 @@@
#define SMKTREE_BITS 9
#define SMK_NODE 0x80000000
+
+ #define SMKTREE_DECODE_MAX_RECURSION 32
typedef struct SmackVContext {
AVCodecContext *avctx;
@@@ -93,14 -94,16 +94,15 @@@ enum SmkBlockTypes
/**
* Decode local frame tree
*/
-static int smacker_decode_tree(BitstreamContext *bc, HuffContext *hc,
- uint32_t prefix, int length)
+static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t prefix, int length)
{
- if(length > 32 || length > 3*SMKTREE_BITS) {
- av_log(NULL, AV_LOG_ERROR, "length too long\n");
- if (length > SMKTREE_DECODE_MAX_RECURSION) {
++ if (length > SMKTREE_DECODE_MAX_RECURSION || length > 3 * SMKTREE_BITS) {
+ av_log(NULL, AV_LOG_ERROR, "Maximum tree recursion level exceeded.\n");
return AVERROR_INVALIDDATA;
}
+
- if (!bitstream_read_bit(bc)) { // Leaf
- if(hc->current >= 256){
+ if(!get_bits1(gb)){ //Leaf
+ if(hc->current >= hc->length){
av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
return AVERROR_INVALIDDATA;
}
More information about the ffmpeg-cvslog
mailing list