[FFmpeg-cvslog] avcodec/webp: Check more directly for invalid codes

Andreas Rheinhardt git at videolan.org
Sat Apr 26 01:15:07 EEST 2025 

ffmpeg | branch: master | Andreas Rheinhardt <andreas.rheinhardt at outlook.com> | Fri Apr 18 18:50:59 2025 +0200| [d60445258ce5d11eaccc285e5c7931ad26a96eb5] | committer: Andreas Rheinhardt

avcodec/webp: Check more directly for invalid codes

Don't rely on invalid codes leading to get_vlc2() returning
-1, which then gets converted to an uint8_t, i.e. to 255
and runs afoul of a length check later. After all, get_vlc2()
could be changed to return something else which may
be valid when cast to uint8_t.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d60445258ce5d11eaccc285e5c7931ad26a96eb5
---

 libavcodec/webp.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/webp.c b/libavcodec/webp.c
index 9f83b518ad..46b20a1ab6 100644
--- a/libavcodec/webp.c
+++ b/libavcodec/webp.c
@@ -278,7 +278,7 @@ static int huff_reader_build_canonical(HuffReader *r, const uint8_t *code_length
     for (sym = 0; sym < alphabet_size; sym++)
         max_code_length = FFMAX(max_code_length, code_lengths[sym]);
 
-    if (max_code_length == 0 || max_code_length > MAX_HUFFMAN_CODE_LENGTH)
+    if (max_code_length == 0)
         return AVERROR(EINVAL);
 
     codes = av_malloc_array(alphabet_size, sizeof(*codes));
@@ -375,7 +375,7 @@ static int read_huffman_code_normal(WebPContext *s, HuffReader *hc,
         if (!max_symbol--)
             break;
         code_len = huff_reader_get_symbol(&code_len_hc, &s->gb);
-        if (code_len < 16) {
+        if (code_len < 16U) {
             /* Code length code [0..15] indicates literal code lengths. */
             code_lengths[symbol++] = code_len;
             if (code_len)
@@ -383,6 +383,9 @@ static int read_huffman_code_normal(WebPContext *s, HuffReader *hc,
         } else {
             int repeat = 0, length = 0;
             switch (code_len) {
+            default:
+                ret = AVERROR_INVALIDDATA;
+                goto finish;
             case 16:
                 /* Code 16 repeats the previous non-zero value [3..6] times,
                  * i.e., 3 + ReadBits(2) times. If code 16 is used before a

More information about the ffmpeg-cvslog mailing list