Hi,
according to the WebP Lossless Bitstream Specification [1] the highest allowed
value for the prefix code is 39. Attached patch adds a check for this to avoid
crashes decoding broken files.
Best regards,
Andreas
1:
https://developers.google.com/speed/webp/docs/webp_lossless_bitstream_specification#4_image_data
>From a33b82acc6ab16e1aafaa44d3258d5177dff2cb0 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Mon, 2 Mar 2015 20:47:57 +0100
Subject: [PATCH] avcodec/webp: validate the distance prefix code
According to the WebP Lossless Bitstream Specification the highest
allowed value for a prefix code is 39.
If prefix_code is too large, the calculated extra_bits has an invalid
value and triggers an assertion in get_bits.
Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
libavcodec/webp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/webp.c b/libavcodec/webp.c
index e0f7239..9549c0e 100644
--- a/libavcodec/webp.c
+++ b/libavcodec/webp.c
@@ -694,6 +694,11 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role,
length = offset + get_bits(&s->gb, extra_bits) + 1;
}
prefix_code = huff_reader_get_symbol(&hg[HUFF_IDX_DIST], &s->gb);
+ if (prefix_code > 39) {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "distance prefix code too large: %d\n", prefix_code);
+ return AVERROR_INVALIDDATA;
+ }
if (prefix_code < 4) {
distance = prefix_code + 1;
} else {
--
2.1.4
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
