From 2c69fcc2ffe671649e56dc981e9f4cd9d46a61be Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Fri, 30 Nov 2012 16:00:07 +0100
Subject: smacker: more complete vlc length check, fixes out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/smacker.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libavcodec/smacker.c')

diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 095f0d0e52..e1e67da3ac 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -96,7 +96,7 @@ enum SmkBlockTypes {
  */
 static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t prefix, int length)
 {
-    if(length > 32) {
+    if(length > 32 || length > 3*SMKTREE_BITS) {
         av_log(NULL, AV_LOG_ERROR, "length too long\n");
         return AVERROR_INVALIDDATA;
     }
-- 
cgit v1.2.3