Commit 8fdd93ea authored by Michael Niedermayer's avatar Michael Niedermayer

huffyuv: pad classic huffman tables so as to avoid bitreader overread.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 64c58f14
...@@ -85,13 +85,15 @@ typedef struct HYuvContext{ ...@@ -85,13 +85,15 @@ typedef struct HYuvContext{
static const unsigned char classic_shift_luma[] = { static const unsigned char classic_shift_luma[] = {
34,36,35,69,135,232,9,16,10,24,11,23,12,16,13,10,14,8,15,8, 34,36,35,69,135,232,9,16,10,24,11,23,12,16,13,10,14,8,15,8,
16,8,17,20,16,10,207,206,205,236,11,8,10,21,9,23,8,8,199,70, 16,8,17,20,16,10,207,206,205,236,11,8,10,21,9,23,8,8,199,70,
69,68, 0 69,68, 0,
0,0,0,0,0,0,0,0,
}; };
static const unsigned char classic_shift_chroma[] = { static const unsigned char classic_shift_chroma[] = {
66,36,37,38,39,40,41,75,76,77,110,239,144,81,82,83,84,85,118,183, 66,36,37,38,39,40,41,75,76,77,110,239,144,81,82,83,84,85,118,183,
56,57,88,89,56,89,154,57,58,57,26,141,57,56,58,57,58,57,184,119, 56,57,88,89,56,89,154,57,58,57,26,141,57,56,58,57,58,57,184,119,
214,245,116,83,82,49,80,79,78,77,44,75,41,40,39,38,37,36,34, 0 214,245,116,83,82,49,80,79,78,77,44,75,41,40,39,38,37,36,34, 0,
0,0,0,0,0,0,0,0,
}; };
static const unsigned char classic_add_luma[256] = { static const unsigned char classic_add_luma[256] = {
...@@ -394,10 +396,10 @@ static int read_old_huffman_tables(HYuvContext *s){ ...@@ -394,10 +396,10 @@ static int read_old_huffman_tables(HYuvContext *s){
GetBitContext gb; GetBitContext gb;
int i; int i;
init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8); init_get_bits(&gb, classic_shift_luma, (sizeof(classic_shift_luma)-8)*8);
if(read_len_table(s->len[0], &gb)<0) if(read_len_table(s->len[0], &gb)<0)
return -1; return -1;
init_get_bits(&gb, classic_shift_chroma, sizeof(classic_shift_chroma)*8); init_get_bits(&gb, classic_shift_chroma, (sizeof(classic_shift_chroma)-8)*8);
if(read_len_table(s->len[1], &gb)<0) if(read_len_table(s->len[1], &gb)<0)
return -1; return -1;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment