[libav-devel] [PATCH] huffyuvdec: propagate init_vlc() return error

Sat, 02 Aug 2014 17:15:07 -0700 

From: Michael Niedermayer <[email protected]>

Prevents out of array writes

CC: [email protected]
Bug-Id: CVE-2013-0868
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <[email protected]>
---
 libavcodec/huffyuvdec.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c
index 9d2fbaf..06984ce 100644
--- a/libavcodec/huffyuvdec.c
+++ b/libavcodec/huffyuvdec.c
@@ -105,8 +105,9 @@ static int read_len_table(uint8_t *dst, GetBitContext *gb)
     return 0;
 }
 
-static void generate_joint_tables(HYuvContext *s)
+static int generate_joint_tables(HYuvContext *s)
 {
+    int ret;
     uint16_t symbols[1 << VLC_BITS];
     uint16_t bits[1 << VLC_BITS];
     uint8_t len[1 << VLC_BITS];
@@ -172,14 +173,18 @@ static void generate_joint_tables(HYuvContext *s)
             }
         }
         ff_free_vlc(&s->vlc[3]);
-        init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1, bits, 2, 2, 0);
+        ret = init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1, bits, 2, 2, 0);
+        if (ret < 0)
+            return ret;
     }
+
+    return 0;
 }
 
 static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length)
 {
     GetBitContext gb;
-    int i;
+    int i, ret;
 
     init_get_bits(&gb, src, length * 8);
 
@@ -190,13 +195,15 @@ static int read_huffman_tables(HYuvContext *s, const 
uint8_t *src, int length)
             return -1;
         }
         ff_free_vlc(&s->vlc[i]);
-        init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
-                 s->bits[i], 4, 4, 0);
+        ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
+                       s->bits[i], 4, 4, 0);
+        if (ret < 0)
+            return ret;
     }
 
-    generate_joint_tables(s);
+    ret = generate_joint_tables(s);
 
-    return (get_bits_count(&gb) + 7) / 8;
+    return ret < 0 ? ret : (get_bits_count(&gb) + 7) / 8;
 }
 
 static int read_old_huffman_tables(HYuvContext *s)
@@ -230,9 +237,7 @@ static int read_old_huffman_tables(HYuvContext *s)
                  s->bits[i], 4, 4, 0);
     }
 
-    generate_joint_tables(s);
-
-    return 0;
+    return generate_joint_tables(s);
 }
 
 static av_cold int decode_init(AVCodecContext *avctx)
-- 
1.8.5.2 (Apple Git-48)

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to