diff options
| author | Ronald S. Bultje <rsbultje@gmail.com> | 2012-03-29 10:25:04 -0700 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2012-04-29 22:07:03 +0200 |
| commit | be424d86a85af1d86d2a4d1bc3fede3d6078f796 (patch) | |
| tree | 816d71191bb5fc6a47a556913d6877c4f55d8319 | |
| parent | a08cb950b25d31ecc9c083dc8f70b30ec3c70cc9 (diff) | |
| download | ffmpeg-be424d86a85af1d86d2a4d1bc3fede3d6078f796.tar.gz | |
truemotion: forbid invalid VLC bitsizes and token values.
SHOW_UBITS() is only defined up to n_bits is 25, therefore forbid
values larger than this in get_vlc2() (max_bits). tokens[][] can be
used as an index in deltas[], which has a size of 64, so ensure the
values are smaller than that.
This prevents crashes on corrupt bitstreams.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b7b1509d06d3696d3b944791227fe198ded0654b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| -rw-r--r-- | libavcodec/truemotion2.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 5ec24de8a8..81dc84a7af 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -130,7 +130,7 @@ static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code) /* check for correct codes parameters */ if((huff.val_bits < 1) || (huff.val_bits > 32) || - (huff.max_bits < 0) || (huff.max_bits > 32)) { + (huff.max_bits < 0) || (huff.max_bits > 25)) { av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect tree parameters - literal length: %i, max code length: %i\n", huff.val_bits, huff.max_bits); return -1; @@ -322,10 +322,21 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i return -1; } ctx->tokens[stream_id][i] = tm2_get_token(&ctx->gb, &codes); + if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS) { + av_log(ctx->avctx, AV_LOG_ERROR, "Invalid delta token index %d for type %d, n=%d\n", + ctx->tokens[stream_id][i], stream_id, i); + return AVERROR_INVALIDDATA; + } } } else { - for(i = 0; i < toks; i++) + for(i = 0; i < toks; i++) { ctx->tokens[stream_id][i] = codes.recode[0]; + if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS) { + av_log(ctx->avctx, AV_LOG_ERROR, "Invalid delta token index %d for type %d, n=%d\n", + ctx->tokens[stream_id][i], stream_id, i); + return AVERROR_INVALIDDATA; + } + } } tm2_free_codes(&codes); @@ -837,9 +848,9 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } t = tm2_read_stream(l, swbuf + skip, tm2_stream_order[i], buf_size - skip); - if(t == -1){ + if(t < 0){ av_free(swbuf); - return -1; + return t; } skip += t; } |