avcodec/bitstream: Check bits in ff_init_vlc_sparse()

Fixes out of array reads Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2024-12-23 12:43:46 +02:00 · 2013-04-18 02:47:10 +02:00 · 2013-04-18 02:47:10 +02:00 · fb3e3808ae
commit fb3e3808ae
parent bdfe60c769
1 changed files with 4 additions and 0 deletions
--- a/libavcodec/bitstream.c
+++ b/libavcodec/bitstream.c
@ -305,6 +305,10 @@ int ff_init_vlc_sparse(VLC *vlc, int nb_bits, int nb_codes,
        GET_DATA(buf[j].bits, bits, i, bits_wrap, bits_size);\
        if (!(condition))\
            continue;\
+        if (buf[j].bits > 3*nb_bits || buf[j].bits>32) {\
+            av_log(NULL, AV_LOG_ERROR, "Too long VLC in init_vlc\n");\
+            return -1;\
+        }\
        GET_DATA(buf[j].code, codes, i, codes_wrap, codes_size);\
        if (flags & INIT_VLC_LE)\
            buf[j].code = bitswap_32(buf[j].code);\