[FFmpeg-cvslog] Merge commit 'cd4663dc80323ba64989d0c103d51ad3ee0e9c2f'

[James Almer]

ffmpeg | branch: master | James Almer <jamrial at gmail.com> | Sun Nov 12 01:08:10 2017 -0300| [b3e5899e475d02dc0730e9405b4c067c8c78d8f4] | committer: James Almer

Merge commit 'cd4663dc80323ba64989d0c103d51ad3ee0e9c2f'

* commit 'cd4663dc80323ba64989d0c103d51ad3ee0e9c2f':
  smacker: add sanity check for length in smacker_decode_tree()

See b829da363985cb2f80130bba304cc29a632f6446

Merged-by: James Almer <jamrial at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b3e5899e475d02dc0730e9405b4c067c8c78d8f4
---

 libavcodec/smacker.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index dad899c791..2077dde4a1 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -43,6 +43,7 @@
 #define SMKTREE_BITS 9
 #define SMK_NODE 0x80000000
 
+#define SMKTREE_DECODE_MAX_RECURSION 32
 
 typedef struct SmackVContext {
     AVCodecContext *avctx;
@@ -95,10 +96,11 @@ enum SmkBlockTypes {
  */
 static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t prefix, int length)
 {
-    if(length > 32 || length > 3*SMKTREE_BITS) {
-        av_log(NULL, AV_LOG_ERROR, "length too long\n");
+    if (length > SMKTREE_DECODE_MAX_RECURSION || length > 3 * SMKTREE_BITS) {
+        av_log(NULL, AV_LOG_ERROR, "Maximum tree recursion level exceeded.\n");
         return AVERROR_INVALIDDATA;
     }
+
     if(!get_bits1(gb)){ //Leaf
         if(hc->current >= hc->length){
             av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");


======================================================================

diff --cc libavcodec/smacker.c
index dad899c791,7deccffa54..2077dde4a1
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@@ -42,7 -42,8 +42,8 @@@
  
  #define SMKTREE_BITS 9
  #define SMK_NODE 0x80000000
 +
+ #define SMKTREE_DECODE_MAX_RECURSION 32
  
  typedef struct SmackVContext {
      AVCodecContext *avctx;
@@@ -93,14 -94,16 +94,15 @@@ enum SmkBlockTypes 
  /**
   * Decode local frame tree
   */
 -static int smacker_decode_tree(BitstreamContext *bc, HuffContext *hc,
 -                               uint32_t prefix, int length)
 +static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t prefix, int length)
  {
-     if(length > 32 || length > 3*SMKTREE_BITS) {
-         av_log(NULL, AV_LOG_ERROR, "length too long\n");
 -    if (length > SMKTREE_DECODE_MAX_RECURSION) {
++    if (length > SMKTREE_DECODE_MAX_RECURSION || length > 3 * SMKTREE_BITS) {
+         av_log(NULL, AV_LOG_ERROR, "Maximum tree recursion level exceeded.\n");
          return AVERROR_INVALIDDATA;
      }
+ 
 -    if (!bitstream_read_bit(bc)) { // Leaf
 -        if(hc->current >= 256){
 +    if(!get_bits1(gb)){ //Leaf
 +        if(hc->current >= hc->length){
              av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
              return AVERROR_INVALIDDATA;
          }