From patchwork Tue Nov 8 23:42:16 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Cadhalpun X-Patchwork-Id: 1355 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.90.1 with SMTP id o1csp7662vsb; Tue, 8 Nov 2016 15:42:26 -0800 (PST) X-Received: by 10.28.10.207 with SMTP id 198mr16597390wmk.2.1478648546590; Tue, 08 Nov 2016 15:42:26 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id o7si36460112wjd.181.2016.11.08.15.42.26; Tue, 08 Nov 2016 15:42:26 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@googlemail.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=QUARANTINE dis=NONE) header.from=googlemail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 32AAA689D74; Wed, 9 Nov 2016 01:42:21 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm0-f66.google.com (mail-wm0-f66.google.com [74.125.82.66]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 49169689BB3 for ; Wed, 9 Nov 2016 01:42:14 +0200 (EET) Received: by mail-wm0-f66.google.com with SMTP id c17so25759443wmc.3 for ; Tue, 08 Nov 2016 15:42:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:to:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=RJrLNy9n1s55H4thvT8paSLgGP2vr5wrZi7pUdSslV4=; b=p206Ja+AQ333eP/49ZA1KMkBLFCu4gdP90FW3LqSYXcz0g/aPuoLfJFhopYwD3RErI htexg3T8zstoRbz9X9nxe0ut0gQ46SbnuQsxfEzxapprNBWnZXqbrvswArYs4kHPRjt3 0LugbkHxVLxld+An9aN+NcBhPAd5bYsU7kLvnDcMPkjm9qjc19XkA3Udb96xt6iThrg/ ODNZ06NU0akK9K4JLuXo8crQp+peXveIstAw5Z6z5WBmEHG6PBS3ZkK0QkF2BnMQXAcG sV4J8COcEmMsCfXDlV2Z5nM8qKELMrzlk6xXwjglK5xvjHZ/5vI6wNSISw2X4kuVhgom KRyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=RJrLNy9n1s55H4thvT8paSLgGP2vr5wrZi7pUdSslV4=; b=hfWQm38vedTRTJwmglSl2JeI50l12x5ZTKzc0/24EuOYiqwnOIVKEWP3bl6dYSXZYk cvXM2oPhAGuWSrr2scKDmwyGvEFdlM/3zwOvKYs01cSzo2PhL4kxoVDppR0br1QEe8Wf B8kuN13R/EEuE9Hk3gduRvyLBNLPowa5IPX1/UaNn1TFXSkTUOgNJqQY/hV5T6svjwvN Qzt7Rjx/G0NrbXhCZb0Kqze13eAZfKhz/TGr2Z7xlbXaxGc1Gmyh9UPgEs+mFG+C+E9n akb7iH01geRzJIOumwMjhoxrVbHnMMU9yIQWfQXZtY0WF19e/ElgNwsiMfEc3GSEKDvo X0DA== X-Gm-Message-State: ABUngvc8ym6cOGFX4oz2dLI5M4Bxc6B7u0FJGBeNTpsfwxKKLzoOqe1Gv3SEsH2fFO5+lA== X-Received: by 10.194.203.5 with SMTP id km5mr14705689wjc.230.1478648537272; Tue, 08 Nov 2016 15:42:17 -0800 (PST) Received: from [192.168.2.21] (pD9E8FF48.dip0.t-ipconnect.de. [217.232.255.72]) by smtp.googlemail.com with ESMTPSA id o62sm3628654wmg.12.2016.11.08.15.42.16 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 08 Nov 2016 15:42:16 -0800 (PST) From: Andreas Cadhalpun X-Google-Original-From: Andreas Cadhalpun To: FFmpeg development discussions and patches Message-ID: <97079311-c64b-2019-e000-4f9b5aab19fa@googlemail.com> Date: Wed, 9 Nov 2016 00:42:16 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] escape124: reject codebook size 0 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" It causes a cb_depth of 32, leading to assertion failures in get_bits. Signed-off-by: Andreas Cadhalpun --- libavcodec/escape124.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index b872b3a..c3174ce 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -249,6 +249,10 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This codebook can be cut off at places other than // powers of 2, leaving some of the entries undefined. cb_size = get_bits_long(&gb, 20); + if (!cb_size) { + av_log(avctx, AV_LOG_ERROR, "Invalid codebook size 0.\n"); + return AVERROR_INVALIDDATA; + } cb_depth = av_log2(cb_size - 1) + 1; } else { cb_depth = get_bits(&gb, 4);