X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fsmacker.c;h=61e316916bf20319f0a61be1f04561cd2f85bffe;hb=21add0c228e00b8ea89dd13082faa3dcb37912fb;hp=dad899c79179e3137681ef722482fe157087b2c4;hpb=bdbf14abba9d1fb99b63cdaabf4bba074a36ea2f;p=ffmpeg diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index dad899c7917..61e316916bf 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -43,6 +43,8 @@ #define SMKTREE_BITS 9 #define SMK_NODE 0x80000000 +#define SMKTREE_DECODE_MAX_RECURSION 32 +#define SMKTREE_DECODE_BIG_MAX_RECURSION 500 typedef struct SmackVContext { AVCodecContext *avctx; @@ -95,10 +97,11 @@ enum SmkBlockTypes { */ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t prefix, int length) { - if(length > 32 || length > 3*SMKTREE_BITS) { - av_log(NULL, AV_LOG_ERROR, "length too long\n"); + if (length > SMKTREE_DECODE_MAX_RECURSION || length > 3 * SMKTREE_BITS) { + av_log(NULL, AV_LOG_ERROR, "Maximum tree recursion level exceeded.\n"); return AVERROR_INVALIDDATA; } + if(!get_bits1(gb)){ //Leaf if(hc->current >= hc->length){ av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); @@ -129,12 +132,15 @@ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t pref /** * Decode header tree */ -static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx, int length) +static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, + DBCtx *ctx, int length) { - if(length > 500) { // Larger length can cause segmentation faults due to too deep recursion. - av_log(NULL, AV_LOG_ERROR, "length too long\n"); + // Larger length can cause segmentation faults due to too deep recursion. + if (length > SMKTREE_DECODE_BIG_MAX_RECURSION) { + av_log(NULL, AV_LOG_ERROR, "Maximum bigtree recursion level exceeded.\n"); return AVERROR_INVALIDDATA; } + if (hc->current + 1 >= hc->length) { av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); return AVERROR_INVALIDDATA;