avcodec/bitstream: Check bits in ff_init_vlc_sparse()
authorMichael Niedermayer <michaelni@gmx.at>
Thu, 18 Apr 2013 00:47:10 +0000 (02:47 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Wed, 15 Jan 2014 23:35:12 +0000 (00:35 +0100)
Fixes out of array reads

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fb3e3808aed843b21dd70a70bdbc4b9f7de6a00b)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/bitstream.c

index 6bcdadb..6598d3e 100644 (file)
@@ -305,6 +305,10 @@ int ff_init_vlc_sparse(VLC *vlc, int nb_bits, int nb_codes,
         GET_DATA(buf[j].bits, bits, i, bits_wrap, bits_size);\
         if (!(condition))\
             continue;\
+        if (buf[j].bits > 3*nb_bits || buf[j].bits>32) {\
+            av_log(NULL, AV_LOG_ERROR, "Too long VLC in init_vlc\n");\
+            return -1;\
+        }\
         GET_DATA(buf[j].code, codes, i, codes_wrap, codes_size);\
         if (flags & INIT_VLC_LE)\
             buf[j].code = bitswap_32(buf[j].code);\