Merge commit '0ccddbad'

* commit '0ccddbad': smacker: limit recursion depth of smacker_decode_bigtree See 946ecd19Merged-by: James Almer <jamrial@gmail.com>

Merge commit '0ccddbad'
* commit '0ccddbad': smacker: limit recursion depth of smacker_decode_bigtree See 946ecd19Merged-by: James Almer <jamrial@gmail.com>
d2ad6f11 · James Almer · b3e5899e · 0ccddbad · d2ad6f11
Commit d2ad6f11 authored Nov 12, 2017 by James Almer
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 3 deletions

smacker.c libavcodec/smacker.c +7 -3

No files found.
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -44,6 +44,7 @@
 #define SMK_NODE 0x80000000

 #define SMKTREE_DECODE_MAX_RECURSION 32
+#define SMKTREE_DECODE_BIG_MAX_RECURSION 500

 typedef struct SmackVContext {
    AVCodecContext *avctx;
@@ -131,12 +132,15 @@ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t pref
 /**
 * Decode header tree
 */
-static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx, int length)
+static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc,
+                                  DBCtx *ctx, int length)
 {
-    if(length > 500) { // Larger length can cause segmentation faults due to too deep recursion.
-        av_log(NULL, AV_LOG_ERROR, "length too long\n");
+    // Larger length can cause segmentation faults due to too deep recursion.
+    if (length > SMKTREE_DECODE_BIG_MAX_RECURSION) {
+        av_log(NULL, AV_LOG_ERROR, "Maximum bigtree recursion level exceeded.\n");
        return AVERROR_INVALIDDATA;
    }
+
    if (hc->current + 1 >= hc->length) {
        av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
        return AVERROR_INVALIDDATA;