exr: fix out of bounds read in get_code

This macro unconditionally used out[-1], which causes an out of bounds read, if out is the very beginning of the buffer. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 90b99a81071d10e6b5efe86a4602d54d4f45bbcb) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
author: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2015-12-13 23:17:09 +0100
committer: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2015-12-20 16:13:32 +0100
commit: e7b09eaefa5d117c79e23d7c70732249af383b2a (patch)
tree: 69382aeb6b608d6bcc3f78ace504e972d0783f28
parent: e32095807b86480dfa5395972f7734990e27c146 (diff)
download: ffmpeg-e7b09eaefa5d117c79e23d7c70732249af383b2a.tar.gz
1 files changed, 5 insertions, 5 deletions
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index ff2d7b062c..eb3283848d 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -460,7 +460,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im,
         lc += 8;                                                              \
 }
 
-#define get_code(po, rlc, c, lc, gb, out, oe)                                 \
+#define get_code(po, rlc, c, lc, gb, out, oe, outb)                           \
 {                                                                             \
         if (po == rlc) {                                                      \
             if (lc < 8)                                                       \
@@ -469,7 +469,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im,
                                                                               \
             cs = c >> lc;                                                     \
                                                                               \
-            if (out + cs > oe)                                                \
+            if (out + cs > oe || out == outb)                                 \
                 return AVERROR_INVALIDDATA;                                   \
                                                                               \
             s = out[-1];                                                      \
@@ -502,7 +502,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
 
             if (pl.len) {
                 lc -= pl.len;
-                get_code(pl.lit, rlc, c, lc, gb, out, oe);
+                get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
             } else {
                 int j;
 
@@ -519,7 +519,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
                         if ((hcode[pl.p[j]] >> 6) ==
                             ((c >> (lc - l)) & ((1LL << l) - 1))) {
                             lc -= l;
-                            get_code(pl.p[j], rlc, c, lc, gb, out, oe);
+                            get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb);
                             break;
                         }
                     }
@@ -540,7 +540,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
 
         if (pl.len) {
             lc -= pl.len;
-            get_code(pl.lit, rlc, c, lc, gb, out, oe);
+            get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
         } else {
             return AVERROR_INVALIDDATA;
         }
author	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2015-12-13 23:17:09 +0100
committer	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2015-12-20 16:13:32 +0100
commit	e7b09eaefa5d117c79e23d7c70732249af383b2a (patch)
tree	69382aeb6b608d6bcc3f78ace504e972d0783f28
parent	e32095807b86480dfa5395972f7734990e27c146 (diff)
download	ffmpeg-e7b09eaefa5d117c79e23d7c70732249af383b2a.tar.gz