speedhq: fix out-of-bounds write

Certain alpha run lengths (for SHQ1/SHQ3/SHQ5) could be stored in both long and short versions, and we would only accept the short version, returning -1 (invalid code) for the others. This could cause an out-of-bounds write on malicious input, as discovered by Andreas Cadhalpun during fuzzing. Fix by simply allowing both versions, leaving no invalid codes in the alpha VLC. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
author: Steinar H. Gunderson <steinar+ffmpeg@gunderson.no> 2017-02-01 17:19:18 +0100
committer: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2017-02-02 01:12:07 +0100
commit: 08b098169be079c4f124a351fda6764fbcd10e79 (patch)
tree: d990582c4339f2bc1c3892c8f0710e3be139a395 /libavcodec/vlc.h
parent: 4c2176d45be1a7fbbcdf1f3d01b1ba2bab6f8d0f (diff)
download: ffmpeg-08b098169be079c4f124a351fda6764fbcd10e79.tar.gz
1 files changed, 11 insertions, 4 deletions
diff --git a/libavcodec/vlc.h b/libavcodec/vlc.h
index 40096d8944..42ccddf3fc 100644
--- a/libavcodec/vlc.h
+++ b/libavcodec/vlc.h
@@ -54,21 +54,28 @@ void ff_free_vlc(VLC *vlc);
 #define INIT_VLC_LE             2
 #define INIT_VLC_USE_NEW_STATIC 4
 
-#define INIT_VLC_STATIC(vlc, bits, a, b, c, d, e, f, g, static_size)       \
+#define INIT_VLC_SPARSE_STATIC(vlc, bits, a, b, c, d, e, f, g, h, i, j, static_size) \
     do {                                                                   \
         static VLC_TYPE table[static_size][2];                             \
         (vlc)->table           = table;                                    \
         (vlc)->table_allocated = static_size;                              \
-        init_vlc(vlc, bits, a, b, c, d, e, f, g, INIT_VLC_USE_NEW_STATIC); \
+        ff_init_vlc_sparse(vlc, bits, a, b, c, d, e, f, g, h, i, j,        \
+            INIT_VLC_USE_NEW_STATIC);                                      \
     } while (0)
 
-#define INIT_LE_VLC_STATIC(vlc, bits, a, b, c, d, e, f, g, static_size)    \
+#define INIT_LE_VLC_SPARSE_STATIC(vlc, bits, a, b, c, d, e, f, g, h, i, j, static_size) \
     do {                                                                   \
         static VLC_TYPE table[static_size][2];                             \
         (vlc)->table           = table;                                    \
         (vlc)->table_allocated = static_size;                              \
-        init_vlc(vlc, bits, a, b, c, d, e, f, g,                           \
+        ff_init_vlc_sparse(vlc, bits, a, b, c, d, e, f, g, h, i, j,        \
             INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE);                        \
     } while (0)
 
+#define INIT_VLC_STATIC(vlc, bits, a, b, c, d, e, f, g, static_size)       \
+    INIT_VLC_SPARSE_STATIC(vlc, bits, a, b, c, d, e, f, g, NULL, 0, 0, static_size)
+
+#define INIT_LE_VLC_STATIC(vlc, bits, a, b, c, d, e, f, g, static_size) \
+    INIT_LE_VLC_SPARSE_STATIC(vlc, bits, a, b, c, d, e, f, g, NULL, 0, 0, static_size)
+
 #endif /* AVCODEC_VLC_H */
author	Steinar H. Gunderson <steinar+ffmpeg@gunderson.no>	2017-02-01 17:19:18 +0100
committer	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2017-02-02 01:12:07 +0100
commit	08b098169be079c4f124a351fda6764fbcd10e79 (patch)
tree	d990582c4339f2bc1c3892c8f0710e3be139a395 /libavcodec/vlc.h
parent	4c2176d45be1a7fbbcdf1f3d01b1ba2bab6f8d0f (diff)
download	ffmpeg-08b098169be079c4f124a351fda6764fbcd10e79.tar.gz