From: Michael Niedermayer <[email protected]> Prevents out of array writes
CC: [email protected] Bug-Id: CVE-2013-0868 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara <[email protected]> --- libavcodec/huffyuvdec.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 9d2fbaf..06984ce 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -105,8 +105,9 @@ static int read_len_table(uint8_t *dst, GetBitContext *gb) return 0; } -static void generate_joint_tables(HYuvContext *s) +static int generate_joint_tables(HYuvContext *s) { + int ret; uint16_t symbols[1 << VLC_BITS]; uint16_t bits[1 << VLC_BITS]; uint8_t len[1 << VLC_BITS]; @@ -172,14 +173,18 @@ static void generate_joint_tables(HYuvContext *s) } } ff_free_vlc(&s->vlc[3]); - init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1, bits, 2, 2, 0); + ret = init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1, bits, 2, 2, 0); + if (ret < 0) + return ret; } + + return 0; } static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length) { GetBitContext gb; - int i; + int i, ret; init_get_bits(&gb, src, length * 8); @@ -190,13 +195,15 @@ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length) return -1; } ff_free_vlc(&s->vlc[i]); - init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, - s->bits[i], 4, 4, 0); + ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, + s->bits[i], 4, 4, 0); + if (ret < 0) + return ret; } - generate_joint_tables(s); + ret = generate_joint_tables(s); - return (get_bits_count(&gb) + 7) / 8; + return ret < 0 ? ret : (get_bits_count(&gb) + 7) / 8; } static int read_old_huffman_tables(HYuvContext *s) @@ -230,9 +237,7 @@ static int read_old_huffman_tables(HYuvContext *s) s->bits[i], 4, 4, 0); } - generate_joint_tables(s); - - return 0; + return generate_joint_tables(s); } static av_cold int decode_init(AVCodecContext *avctx) -- 1.8.5.2 (Apple Git-48) _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
