diff options
| author | Andreas Rheinhardt <andreas.rheinhardt@outlook.com> | 2025-04-18 18:50:59 +0200 |
|---|---|---|
| committer | Andreas Rheinhardt <andreas.rheinhardt@outlook.com> | 2025-04-25 23:01:37 +0200 |
| commit | d60445258ce5d11eaccc285e5c7931ad26a96eb5 (patch) | |
| tree | 5815d591020f9fedeb6136d700a946048c8318b5 | |
| parent | 6676038b23bd8272b9d6b9bb94f64b55f5dfd954 (diff) | |
| download | ffmpeg-d60445258ce5d11eaccc285e5c7931ad26a96eb5.tar.gz | |
avcodec/webp: Check more directly for invalid codes
Don't rely on invalid codes leading to get_vlc2() returning
-1, which then gets converted to an uint8_t, i.e. to 255
and runs afoul of a length check later. After all, get_vlc2()
could be changed to return something else which may
be valid when cast to uint8_t.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
| -rw-r--r-- | libavcodec/webp.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 9f83b518ad..46b20a1ab6 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -278,7 +278,7 @@ static int huff_reader_build_canonical(HuffReader *r, const uint8_t *code_length for (sym = 0; sym < alphabet_size; sym++) max_code_length = FFMAX(max_code_length, code_lengths[sym]); - if (max_code_length == 0 || max_code_length > MAX_HUFFMAN_CODE_LENGTH) + if (max_code_length == 0) return AVERROR(EINVAL); codes = av_malloc_array(alphabet_size, sizeof(*codes)); @@ -375,7 +375,7 @@ static int read_huffman_code_normal(WebPContext *s, HuffReader *hc, if (!max_symbol--) break; code_len = huff_reader_get_symbol(&code_len_hc, &s->gb); - if (code_len < 16) { + if (code_len < 16U) { /* Code length code [0..15] indicates literal code lengths. */ code_lengths[symbol++] = code_len; if (code_len) @@ -383,6 +383,9 @@ static int read_huffman_code_normal(WebPContext *s, HuffReader *hc, } else { int repeat = 0, length = 0; switch (code_len) { + default: + ret = AVERROR_INVALIDDATA; + goto finish; case 16: /* Code 16 repeats the previous non-zero value [3..6] times, * i.e., 3 + ReadBits(2) times. If code 16 is used before a |