smacker: Make sure we don't fill in huffman codes out of range

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit 0679cec6e8802643bbe6d5f68ca1110a7d3171da) Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
author: Martin Storsjö <martin@martin.st> 2013-09-11 15:54:20 +0300
committer: Luca Barbato <lu_zero@gentoo.org> 2013-10-03 20:29:25 +0200
commit: 01a58b439d5f41ffa0b4324d1f6d7864ef4a2a45 (patch)
tree: df0dc2e4372f643c854a2ae30abec6eba6f3d212
parent: 47bb4d888e1ef84b29aec4641a737c3aa35663a7 (diff)
download: ffmpeg-01a58b439d5f41ffa0b4324d1f6d7864ef4a2a45.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index a72d7c5a35..2baf059af9 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -257,6 +257,12 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
     if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
     if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
     if(ctx.last[2] == -1) ctx.last[2] = huff.current++;
+    if (ctx.last[0] >= huff.length ||
+        ctx.last[1] >= huff.length ||
+        ctx.last[2] >= huff.length) {
+        av_log(smk->avctx, AV_LOG_ERROR, "Huffman codes out of range\n");
+        err = AVERROR_INVALIDDATA;
+    }
 
     *recodes = huff.values;
author	Martin Storsjö <martin@martin.st>	2013-09-11 15:54:20 +0300
committer	Luca Barbato <lu_zero@gentoo.org>	2013-10-03 20:29:25 +0200
commit	01a58b439d5f41ffa0b4324d1f6d7864ef4a2a45 (patch)
tree	df0dc2e4372f643c854a2ae30abec6eba6f3d212
parent	47bb4d888e1ef84b29aec4641a737c3aa35663a7 (diff)
download	ffmpeg-01a58b439d5f41ffa0b4324d1f6d7864ef4a2a45.tar.gz