diff options
| author | Ronald S. Bultje <rsbultje@gmail.com> | 2012-03-29 10:25:04 -0700 |
|---|---|---|
| committer | Ronald S. Bultje <rsbultje@gmail.com> | 2012-03-29 11:36:14 -0700 |
| commit | b7b1509d06d3696d3b944791227fe198ded0654b (patch) | |
| tree | 21f83a3ea77cd0626af571137117172a7207fe57 /libavcodec/truemotion2.c | |
| parent | bf39d3b59d85e5734babe48b61b8d92d18188185 (diff) | |
truemotion: forbid invalid VLC bitsizes and token values.
SHOW_UBITS() is only defined up to n_bits is 25, therefore forbid
values larger than this in get_vlc2() (max_bits). tokens[][] can be
used as an index in deltas[], which has a size of 64, so ensure the
values are smaller than that.
This prevents crashes on corrupt bitstreams.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Diffstat (limited to 'libavcodec/truemotion2.c')
| -rw-r--r-- | libavcodec/truemotion2.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 646c222805..67976c8337 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -130,7 +130,7 @@ static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code) /* check for correct codes parameters */ if((huff.val_bits < 1) || (huff.val_bits > 32) || - (huff.max_bits < 0) || (huff.max_bits > 32)) { + (huff.max_bits < 0) || (huff.max_bits > 25)) { av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect tree parameters - literal length: %i, max code length: %i\n", huff.val_bits, huff.max_bits); return -1; @@ -322,10 +322,21 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i return -1; } ctx->tokens[stream_id][i] = tm2_get_token(&ctx->gb, &codes); + if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS) { + av_log(ctx->avctx, AV_LOG_ERROR, "Invalid delta token index %d for type %d, n=%d\n", + ctx->tokens[stream_id][i], stream_id, i); + return AVERROR_INVALIDDATA; + } } } else { - for(i = 0; i < toks; i++) + for(i = 0; i < toks; i++) { ctx->tokens[stream_id][i] = codes.recode[0]; + if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS) { + av_log(ctx->avctx, AV_LOG_ERROR, "Invalid delta token index %d for type %d, n=%d\n", + ctx->tokens[stream_id][i], stream_id, i); + return AVERROR_INVALIDDATA; + } + } } tm2_free_codes(&codes); @@ -837,9 +848,9 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } t = tm2_read_stream(l, swbuf + skip, tm2_stream_order[i], buf_size - skip); - if(t == -1){ + if(t < 0){ av_free(swbuf); - return -1; + return t; } skip += t; } |