From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
This fixes segmentation faults due to stack-overflow caused by too deep
recursion.
Reviewed-by: Michael Niedermayer <mich...@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Signed-off-by: Sean McGovern <gsean...@gmail.com>
---
libavcodec/smacker.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index e829405..018892b 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -133,8 +133,13 @@ static int smacker_decode_tree(BitstreamContext *bc,
HuffContext *hc,
* Decode header tree
*/
static int smacker_decode_bigtree(BitstreamContext *bc, HuffContext *hc,
- DBCtx *ctx)
+ DBCtx *ctx, int length)
{
+ if(length > 500) { // Larger length can cause segmentation faults due to
too deep recursion.
+ av_log(NULL, AV_LOG_ERROR, "length too long\n");
+ return AVERROR_INVALIDDATA;
+ }
+
if (hc->current + 1 >= hc->length) {
av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
return AVERROR_INVALIDDATA;
@@ -163,12 +168,12 @@ static int smacker_decode_bigtree(BitstreamContext *bc,
HuffContext *hc,
int r = 0, r_new, t;
t = hc->current++;
- r = smacker_decode_bigtree(bc, hc, ctx);
+ r = smacker_decode_bigtree(bc, hc, ctx, length + 1);
if(r < 0)
return r;
hc->values[t] = SMK_NODE | r;
r++;
- r_new = smacker_decode_bigtree(bc, hc, ctx);
+ r_new = smacker_decode_bigtree(bc, hc, ctx, length + 1);
if (r_new < 0)
return r_new;
return r + r_new;
@@ -269,7 +274,7 @@ static int smacker_decode_header_tree(SmackVContext *smk,
BitstreamContext *bc,
goto error;
}
- if ((res = smacker_decode_bigtree(bc, &huff, &ctx)) < 0)
+ if ((res = smacker_decode_bigtree(bc, &huff, &ctx, 0)) < 0)
err = res;
bitstream_skip(bc, 1);
if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
--
2.7.4
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
