exr: fix out of bounds read in get_code

This macro unconditionally used out[-1], which causes an out of bounds read, if out is the very beginning of the buffer. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

exr: fix out of bounds read in get_code
This macro unconditionally used out[-1], which causes an out of bounds read, if out is the very beginning of the buffer. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
90b99a81 · Andreas Cadhalpun · 4d5c3b02 · 90b99a81
Commit 90b99a81 authored Dec 13, 2015 by Andreas Cadhalpun
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 5 deletions

exr.c libavcodec/exr.c +5 -5

No files found.
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -461,7 +461,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im,
        lc += 8;                                                              \
 }
-#define get_code(po, rlc, c, lc, gb, out, oe)                                 \
+#define get_code(po, rlc, c, lc, gb, out, oe, outb)                           \
 {                                                                             \
        if (po == rlc) {                                                      \
            if (lc < 8)                                                       \
@@ -470,7 +470,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im,
                                                                              \
            cs = c >> lc;                                                     \
                                                                              \
-            if (out + cs > oe)                                                \
+            if (out + cs > oe || out == outb)                                 \
                return AVERROR_INVALIDDATA;                                   \
                                                                              \
            s = out[-1];                                                      \
@@ -503,7 +503,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
            if (pl.len) {
                lc -= pl.len;
-                get_code(pl.lit, rlc, c, lc, gb, out, oe);
+                get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
            } else {
                int j;
@@ -520,7 +520,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
                        if ((hcode[pl.p[j]] >> 6) ==
                            ((c >> (lc - l)) & ((1LL << l) - 1))) {
                            lc -= l;
-                            get_code(pl.p[j], rlc, c, lc, gb, out, oe);
+                            get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb);
                            break;
                        }
                    }
@@ -541,7 +541,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod,
        if (pl.len) {
            lc -= pl.len;
-            get_code(pl.lit, rlc, c, lc, gb, out, oe);
+            get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
        } else {
            return AVERROR_INVALIDDATA;
        }