aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>2016-11-19 14:21:11 +0100
committerAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>2016-11-27 00:28:07 +0100
commit53e1493cb5a0977407c7869ec9adf4555ef07c66 (patch)
treed1e7b75735c10a58f96612e87b4046890b81933d
parent315f1dea84a3865dfaf949f99c9828a5b8dd4bcc (diff)
downloadffmpeg-53e1493cb5a0977407c7869ec9adf4555ef07c66.tar.gz
smacker: limit recursion depth of smacker_decode_bigtree
This fixes segmentation faults due to stack-overflow caused by too deep recursion. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 946ecd19ea752399bccc751c9339ff74b815587e) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
-rw-r--r--libavcodec/smacker.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index f4fc16c42c..9085a8a427 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -129,8 +129,12 @@ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t pref
/**
* Decode header tree
*/
-static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx)
+static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx, int length)
{
+ if(length > 500) { // Larger length can cause segmentation faults due to too deep recursion.
+ av_log(NULL, AV_LOG_ERROR, "length too long\n");
+ return AVERROR_INVALIDDATA;
+ }
if (hc->current + 1 >= hc->length) {
av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
return AVERROR_INVALIDDATA;
@@ -159,12 +163,12 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx
int r = 0, r_new, t;
t = hc->current++;
- r = smacker_decode_bigtree(gb, hc, ctx);
+ r = smacker_decode_bigtree(gb, hc, ctx, length + 1);
if(r < 0)
return r;
hc->values[t] = SMK_NODE | r;
r++;
- r_new = smacker_decode_bigtree(gb, hc, ctx);
+ r_new = smacker_decode_bigtree(gb, hc, ctx, length + 1);
if (r_new < 0)
return r_new;
return r + r_new;
@@ -275,7 +279,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
goto error;
}
- if (smacker_decode_bigtree(gb, &huff, &ctx) < 0)
+ if (smacker_decode_bigtree(gb, &huff, &ctx, 0) < 0)
err = -1;
skip_bits1(gb);
if(ctx.last[0] == -1) ctx.last[0] = huff.current++;