escape124: reject codebook size 0
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Tue, 8 Nov 2016 23:38:50 +0000 (00:38 +0100)
committerAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Wed, 9 Nov 2016 20:10:59 +0000 (21:10 +0100)
It causes a cb_depth of 32, leading to assertion failures in get_bits.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
libavcodec/escape124.c

index b872b3a..c3174ce 100644 (file)
@@ -249,6 +249,10 @@ static int escape124_decode_frame(AVCodecContext *avctx,
                 // This codebook can be cut off at places other than
                 // powers of 2, leaving some of the entries undefined.
                 cb_size = get_bits_long(&gb, 20);
+                if (!cb_size) {
+                    av_log(avctx, AV_LOG_ERROR, "Invalid codebook size 0.\n");
+                    return AVERROR_INVALIDDATA;
+                }
                 cb_depth = av_log2(cb_size - 1) + 1;
             } else {
                 cb_depth = get_bits(&gb, 4);