virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-08 13:22:53 +02:00
Code Issues Releases Activity

exr: fix out of bounds read in get_code

Browse Source 
This macro unconditionally used out[-1], which causes an out of bounds
read, if out is the very beginning of the buffer.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 90b99a8107)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This commit is contained in:
Andreas Cadhalpun 2015-12-13 23:17:09 +01:00
parent 3e187a9a2d
commit 5b88d24f24
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libavcodec/exr.c
View File

@ -459,7 +459,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im,
lc += 8; \ lc += 8; \
} }
#define get_code(po, rlc, c, lc, gb, out, oe) \ #define get_code(po, rlc, c, lc, gb, out, oe, outb) \
{ \ { \
if (po == rlc) { \ if (po == rlc) { \
if (lc < 8) \ if (lc < 8) \
@ -468,7 +468,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im,
\ \
cs = c >> lc; \ cs = c >> lc; \
\ \
if (out + cs > oe) \ if (out + cs > oe || out == outb) \
return AVERROR_INVALIDDATA; \ return AVERROR_INVALIDDATA; \
\ \
s = out[-1]; \ s = out[-1]; \
@ -501,7 +501,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
if (pl.len) { if (pl.len) {
lc -= pl.len; lc -= pl.len;
get_code(pl.lit, rlc, c, lc, gb, out, oe); get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
} else { } else {
int j; int j;
@ -518,7 +518,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
if ((hcode[pl.p[j]] >> 6) == if ((hcode[pl.p[j]] >> 6) ==
((c >> (lc - l)) & ((1LL << l) - 1))) { ((c >> (lc - l)) & ((1LL << l) - 1))) {
lc -= l; lc -= l;
get_code(pl.p[j], rlc, c, lc, gb, out, oe); get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb);
break; break;
} }
} }
@ -539,7 +539,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
if (pl.len) { if (pl.len) {
lc -= pl.len; lc -= pl.len;
get_code(pl.lit, rlc, c, lc, gb, out, oe); get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
} else { } else {
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }