aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2012-01-25 22:28:57 +0100
committerMichael Niedermayer <michaelni@gmx.at>2012-01-25 22:32:11 +0100
commit1285baaab550e3e761590ef6dfb1d9bd9d1332e4 (patch)
treed01bae89482934662d1e6d6f2f32ae44bea6ae44 /libavcodec
parent247d30a7dba6684ccce4508424f35fd58465e535 (diff)
downloadffmpeg-1285baaab550e3e761590ef6dfb1d9bd9d1332e4.tar.gz
smackerdec: Check that the last indexes are within the table.
Fixes CVE-2011-3944 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/smacker.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 30f99b488d..2a8bae8a1b 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -259,6 +259,11 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
if(ctx.last[2] == -1) ctx.last[2] = huff.current++;
+ if(huff.current > huff.length){
+ ctx.last[0] = ctx.last[1] = ctx.last[2] = 1;
+ av_log(smk->avctx, AV_LOG_ERROR, "bigtree damaged\n");
+ return -1;
+ }
*recodes = huff.values;