Merge commit 'cd4663dc80323ba64989d0c103d51ad3ee0e9c2f'
authorJames Almer <jamrial@gmail.com>
Sun, 12 Nov 2017 04:08:10 +0000 (01:08 -0300)
committerJames Almer <jamrial@gmail.com>
Sun, 12 Nov 2017 04:12:44 +0000 (01:12 -0300)
* commit 'cd4663dc80323ba64989d0c103d51ad3ee0e9c2f':
  smacker: add sanity check for length in smacker_decode_tree()

See b829da363985cb2f80130bba304cc29a632f6446

Merged-by: James Almer <jamrial@gmail.com>
1  2 
libavcodec/smacker.c

@@@ -42,7 -42,8 +42,8 @@@
  
  #define SMKTREE_BITS 9
  #define SMK_NODE 0x80000000
 +
+ #define SMKTREE_DECODE_MAX_RECURSION 32
  
  typedef struct SmackVContext {
      AVCodecContext *avctx;
@@@ -93,14 -94,16 +94,15 @@@ enum SmkBlockTypes 
  /**
   * Decode local frame tree
   */
 -static int smacker_decode_tree(BitstreamContext *bc, HuffContext *hc,
 -                               uint32_t prefix, int length)
 +static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t prefix, int length)
  {
-     if(length > 32 || length > 3*SMKTREE_BITS) {
-         av_log(NULL, AV_LOG_ERROR, "length too long\n");
 -    if (length > SMKTREE_DECODE_MAX_RECURSION) {
++    if (length > SMKTREE_DECODE_MAX_RECURSION || length > 3 * SMKTREE_BITS) {
+         av_log(NULL, AV_LOG_ERROR, "Maximum tree recursion level exceeded.\n");
          return AVERROR_INVALIDDATA;
      }
 -    if (!bitstream_read_bit(bc)) { // Leaf
 -        if(hc->current >= 256){
 +    if(!get_bits1(gb)){ //Leaf
 +        if(hc->current >= hc->length){
              av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
              return AVERROR_INVALIDDATA;
          }