avcodec/rangecoder: Check e
authorMichael Niedermayer <michael@niedermayer.cc>
Fri, 25 Sep 2015 12:26:14 +0000 (14:26 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Thu, 19 Nov 2015 02:51:38 +0000 (03:51 +0100)
Fixes hang.nut

Found-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b2955b6c5aed11026ec5c7164462899a10cdb937)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/ffv1dec.c
libavcodec/snow.h

index 55be6de..f89776d 100644 (file)
@@ -47,8 +47,11 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state,
     else {
         int i, e, a;
         e = 0;
-        while (get_rac(c, state + 1 + FFMIN(e, 9))) // 1..10
+        while (get_rac(c, state + 1 + FFMIN(e, 9))) // 1..10
             e++;
+            if (e > 31)
+                return AVERROR_INVALIDDATA;
+        }
 
         a = 1;
         for (i = e - 1; i >= 0; i--)
index 6dbcaf3..51623d6 100644 (file)
@@ -562,6 +562,8 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state, int is_signed){
         e= 0;
         while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10
             e++;
+            if (e > 31)
+                return AVERROR_INVALIDDATA;
         }
 
         a= 1;