smackerdec: Check that the last indexes are within the table.

Fixes CVE-2011-3944 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

smackerdec: Check that the last indexes are within the table.
Fixes CVE-2011-3944 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
1285baaa · Michael Niedermayer · 247d30a7 · 1285baaa
Commit 1285baaa authored Jan 25, 2012 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

smacker.c libavcodec/smacker.c +5 -0

No files found.
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -259,6 +259,11 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
    if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
    if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
    if(ctx.last[2] == -1) ctx.last[2] = huff.current++;
+    if(huff.current > huff.length){
+        ctx.last[0] = ctx.last[1] = ctx.last[2] = 1;
+        av_log(smk->avctx, AV_LOG_ERROR, "bigtree damaged\n");
+        return -1;
+    }

    *recodes = huff.values;