avcodec/bitstream: Check code length before truncating to uint8_t

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2025-08-15 14:13:16 +02:00 · 2020-10-24 14:11:14 +02:00
parent e5be4c5a88
commit e75b6ec43b
1 changed files with 7 additions and 5 deletions
--- a/libavcodec/bitstream.c
+++ b/libavcodec/bitstream.c
@@ -302,15 +302,17 @@ int ff_init_vlc_sparse(VLC *vlc_arg, int nb_bits, int nb_codes,
    j = 0;
 #define COPY(condition)\
    for (i = 0; i < nb_codes; i++) {                                        \
-        GET_DATA(buf[j].bits, bits, i, bits_wrap, bits_size);               \
+        unsigned len;                                                       \
        GET_DATA(len, bits, i, bits_wrap, bits_size);                       \
        if (!(condition))                                                   \
            continue;                                                       \
-        if (buf[j].bits > 3*nb_bits || buf[j].bits>32) {                    \
+        if (len > 3*nb_bits || len > 32) {                                  \
-            av_log(NULL, AV_LOG_ERROR, "Too long VLC (%d) in init_vlc\n", buf[j].bits);\
+            av_log(NULL, AV_LOG_ERROR, "Too long VLC (%u) in init_vlc\n", len);\
            if (buf != localbuf)                                            \
                av_free(buf);                                               \
            return AVERROR(EINVAL);                                         \
        }                                                                   \
        buf[j].bits = len;                                                  \
        GET_DATA(buf[j].code, codes, i, codes_wrap, codes_size);            \
        if (buf[j].code >= (1LL<<buf[j].bits)) {                            \
            av_log(NULL, AV_LOG_ERROR, "Invalid code %"PRIx32" for %d in "  \
@@ -329,10 +331,10 @@ int ff_init_vlc_sparse(VLC *vlc_arg, int nb_bits, int nb_codes,
            buf[j].symbol = i;                                              \
        j++;                                                                \
    }
-    COPY(buf[j].bits > nb_bits);
+    COPY(len > nb_bits);
    // qsort is the slowest part of init_vlc, and could probably be improved or avoided
    AV_QSORT(buf, j, struct VLCcode, compare_vlcspec);
-    COPY(buf[j].bits && buf[j].bits <= nb_bits);
+    COPY(len && len <= nb_bits);
    nb_codes = j;
    ret = build_table(vlc, nb_bits, nb_codes, buf, flags);