Commit 71d3c25a authored by Michael Niedermayer's avatar Michael Niedermayer

smacker: Check get_vlc() return values.

Fixes out of array reads

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 8e77c384
...@@ -672,11 +672,19 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, ...@@ -672,11 +672,19 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data,
res = get_vlc2(&gb, vlc[2].table, SMKTREE_BITS, 3); res = get_vlc2(&gb, vlc[2].table, SMKTREE_BITS, 3);
else else
res = 0; res = 0;
if (res < 0) {
av_log(avctx, AV_LOG_ERROR, "invalid vlc\n");
return AVERROR_INVALIDDATA;
}
val = h[2].values[res]; val = h[2].values[res];
if(vlc[3].table) if(vlc[3].table)
res = get_vlc2(&gb, vlc[3].table, SMKTREE_BITS, 3); res = get_vlc2(&gb, vlc[3].table, SMKTREE_BITS, 3);
else else
res = 0; res = 0;
if (res < 0) {
av_log(avctx, AV_LOG_ERROR, "invalid vlc\n");
return AVERROR_INVALIDDATA;
}
val |= h[3].values[res] << 8; val |= h[3].values[res] << 8;
pred[1] += sign_extend(val, 16); pred[1] += sign_extend(val, 16);
*samples++ = av_clip_int16(pred[1]); *samples++ = av_clip_int16(pred[1]);
...@@ -685,11 +693,19 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, ...@@ -685,11 +693,19 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data,
res = get_vlc2(&gb, vlc[0].table, SMKTREE_BITS, 3); res = get_vlc2(&gb, vlc[0].table, SMKTREE_BITS, 3);
else else
res = 0; res = 0;
if (res < 0) {
av_log(avctx, AV_LOG_ERROR, "invalid vlc\n");
return AVERROR_INVALIDDATA;
}
val = h[0].values[res]; val = h[0].values[res];
if(vlc[1].table) if(vlc[1].table)
res = get_vlc2(&gb, vlc[1].table, SMKTREE_BITS, 3); res = get_vlc2(&gb, vlc[1].table, SMKTREE_BITS, 3);
else else
res = 0; res = 0;
if (res < 0) {
av_log(avctx, AV_LOG_ERROR, "invalid vlc\n");
return AVERROR_INVALIDDATA;
}
val |= h[1].values[res] << 8; val |= h[1].values[res] << 8;
pred[0] += sign_extend(val, 16); pred[0] += sign_extend(val, 16);
*samples++ = av_clip_int16(pred[0]); *samples++ = av_clip_int16(pred[0]);
...@@ -708,6 +724,10 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, ...@@ -708,6 +724,10 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data,
res = get_vlc2(&gb, vlc[1].table, SMKTREE_BITS, 3); res = get_vlc2(&gb, vlc[1].table, SMKTREE_BITS, 3);
else else
res = 0; res = 0;
if (res < 0) {
av_log(avctx, AV_LOG_ERROR, "invalid vlc\n");
return AVERROR_INVALIDDATA;
}
pred[1] += sign_extend(h[1].values[res], 8); pred[1] += sign_extend(h[1].values[res], 8);
*samples8++ = av_clip_uint8(pred[1]); *samples8++ = av_clip_uint8(pred[1]);
} else { } else {
...@@ -715,6 +735,10 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, ...@@ -715,6 +735,10 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data,
res = get_vlc2(&gb, vlc[0].table, SMKTREE_BITS, 3); res = get_vlc2(&gb, vlc[0].table, SMKTREE_BITS, 3);
else else
res = 0; res = 0;
if (res < 0) {
av_log(avctx, AV_LOG_ERROR, "invalid vlc\n");
return AVERROR_INVALIDDATA;
}
pred[0] += sign_extend(h[0].values[res], 8); pred[0] += sign_extend(h[0].values[res], 8);
*samples8++ = av_clip_uint8(pred[0]); *samples8++ = av_clip_uint8(pred[0]);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment