diff options
| author | Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> | 2015-03-02 20:47:57 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2015-03-09 01:24:24 +0100 |
| commit | 897a51f47b38ed3391d49590788e45fb6ba5c310 (patch) | |
| tree | 09b687d327e10f6c5147aa2c708d5b0991b35bb2 /libavcodec/webp.c | |
| parent | f2a84d04331d8179a3cac1adcdef9de1b5c3f1e9 (diff) | |
| download | ffmpeg-897a51f47b38ed3391d49590788e45fb6ba5c310.tar.gz | |
avcodec/webp: validate the distance prefix code
According to the WebP Lossless Bitstream Specification the highest
allowed value for a prefix code is 39.
If prefix_code is too large, the calculated extra_bits has an invalid
value and triggers an assertion in get_bits.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5de2dab12b951b2fe121eb18503accfc91cd1565)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/webp.c')
| -rw-r--r-- | libavcodec/webp.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 274708df79..31c5bd9ca8 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -694,6 +694,11 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, length = offset + get_bits(&s->gb, extra_bits) + 1; } prefix_code = huff_reader_get_symbol(&hg[HUFF_IDX_DIST], &s->gb); + if (prefix_code > 39) { + av_log(s->avctx, AV_LOG_ERROR, + "distance prefix code too large: %d\n", prefix_code); + return AVERROR_INVALIDDATA; + } if (prefix_code < 4) { distance = prefix_code + 1; } else { |