On 13.12.2015 23:37, Andreas Cadhalpun wrote: > This macro unconditionally used out[-1], which causes an out of bounds > read, if out is the very beginning of the buffer. > > Signed-off-by: Andreas Cadhalpun <[email protected]> > --- > libavcodec/exr.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > > diff --git a/libavcodec/exr.c b/libavcodec/exr.c > index 86a9908..cf28374 100644 > --- a/libavcodec/exr.c > +++ b/libavcodec/exr.c > @@ -461,7 +461,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int > im, > lc += 8; > \ > } > > -#define get_code(po, rlc, c, lc, gb, out, oe) > \ > +#define get_code(po, rlc, c, lc, gb, out, oe, outb) > \ > { > \ > if (po == rlc) { > \ > if (lc < 8) > \ > @@ -470,7 +470,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int > im, > > \ > cs = c >> lc; > \ > > \ > - if (out + cs > oe) > \ > + if (out + cs > oe || out == outb) > \ > return AVERROR_INVALIDDATA; > \ > > \ > s = out[-1]; > \ > @@ -503,7 +503,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec > *hdecod, > > if (pl.len) { > lc -= pl.len; > - get_code(pl.lit, rlc, c, lc, gb, out, oe); > + get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); > } else { > int j; > > @@ -520,7 +520,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec > *hdecod, > if ((hcode[pl.p[j]] >> 6) == > ((c >> (lc - l)) & ((1LL << l) - 1))) { > lc -= l; > - get_code(pl.p[j], rlc, c, lc, gb, out, oe); > + get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb); > break; > } > } > @@ -541,7 +541,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec > *hdecod, > > if (pl.len) { > lc -= pl.len; > - get_code(pl.lit, rlc, c, lc, gb, out, oe); > + get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); > } else { > return AVERROR_INVALIDDATA; > } >
This was applied to Libav, so I've pushed it also to FFmpeg. Best regards, Andreas _______________________________________________ ffmpeg-devel mailing list [email protected] http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
