From: Michael Niedermayer <michae...@gmx.at>
Signed-off-by: Michael Niedermayer <michae...@gmx.at>
Bug-Id: 1098
Cc: libav-sta...@libav.org
Signed-off-by: Sean McGovern <gsean...@gmail.com>
---
libavcodec/smacker.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 0e057a1..991aa2c 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -43,7 +43,7 @@
#define SMKTREE_BITS 9
#define SMK_NODE 0x80000000
-
+#define SMKTREE_DECODE_MAX_RECURSION 32
typedef struct SmackVContext {
AVCodecContext *avctx;
@@ -97,6 +97,11 @@ enum SmkBlockTypes {
static int smacker_decode_tree(BitstreamContext *bc, HuffContext *hc,
uint32_t prefix, int length)
{
+ if (length > SMKTREE_DECODE_MAX_RECURSION) {
+ av_log(NULL, AV_LOG_ERROR, "length too long\n");
+ return AVERROR_INVALIDDATA;
+ }
+
if (!bitstream_read_bit(bc)) { // Leaf
if(hc->current >= 256){
av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
--
2.7.4
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
