generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

exr: fix out of bounds read in get_code

Browse Source 
This macro unconditionally used out[-1], which causes an out of bounds
read, if out is the very beginning of the buffer.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This commit is contained in:
Andreas Cadhalpun 2015-12-13 23:17:09 +01:00
parent 4d5c3b02e9
commit 90b99a8107
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libavcodec/exr.c
View File

@ -461,7 +461,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im,
lc += 8; \
}
#define get_code(po, rlc, c, lc, gb, out, oe) \
#define get_code(po, rlc, c, lc, gb, out, oe, outb) \
{ \
if (po == rlc) { \
if (lc < 8) \
@ -470,7 +470,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im,
\
cs = c >> lc; \
\
if (out + cs > oe) \
if (out + cs > oe || out == outb) \
return AVERROR_INVALIDDATA; \
\
s = out[-1]; \
@ -503,7 +503,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
if (pl.len) {
lc -= pl.len;
get_code(pl.lit, rlc, c, lc, gb, out, oe);
get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
} else {
int j;
@ -520,7 +520,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
if ((hcode[pl.p[j]] >> 6) ==
((c >> (lc - l)) & ((1LL << l) - 1))) {
lc -= l;
get_code(pl.p[j], rlc, c, lc, gb, out, oe);
get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb);
break;
}
}
@ -541,7 +541,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
if (pl.len) {
lc -= pl.len;
get_code(pl.lit, rlc, c, lc, gb, out, oe);
get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
} else {
return AVERROR_INVALIDDATA;
}