[SCM] libav/experimental: fix a buffer overrun on corrupt huffyuv streams

Sun Jun 30 16:48:35 UTC 2013

The following commit has been merged in the experimental branch:
commit e30004fa733ec64b6ff90678098c1f1132d4d603
Author: Loren Merritt <lorenm at u.washington.edu>
Date:   Sat Jul 4 23:59:10 2009 +0000

    fix a buffer overrun on corrupt huffyuv streams
    
    Originally committed as revision 19346 to svn://svn.ffmpeg.org/ffmpeg/trunk

diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
index ad2f25f..40d980d 100644
--- a/libavcodec/huffyuv.c
+++ b/libavcodec/huffyuv.c
@@ -213,7 +213,7 @@ static inline void sub_left_prediction_bgr32(HYuvContext *s, uint8_t *dst, uint8
     *blue=  src[(w-1)*4+B];
 }
 
-static void read_len_table(uint8_t *dst, GetBitContext *gb){
+static int read_len_table(uint8_t *dst, GetBitContext *gb){
     int i, val, repeat;
 
     for(i=0; i<256;){
@@ -222,9 +222,14 @@ static void read_len_table(uint8_t *dst, GetBitContext *gb){
         if(repeat==0)
             repeat= get_bits(gb, 8);
 //printf("%d %d\n", val, repeat);
+        if(i+repeat > 256) {
+            av_log(NULL, AV_LOG_ERROR, "Error reading huffman table\n");
+            return -1;
+        }
         while (repeat--)
             dst[i++] = val;
     }
+    return 0;
 }
 
 static int generate_bits_table(uint32_t *dst, uint8_t *len_table){
@@ -379,8 +384,8 @@ static int read_huffman_tables(HYuvContext *s, uint8_t *src, int length){
     init_get_bits(&gb, src, length*8);
 
     for(i=0; i<3; i++){
-        read_len_table(s->len[i], &gb);
-
+        if(read_len_table(s->len[i], &gb)<0)
+            return -1;
         if(generate_bits_table(s->bits[i], s->len[i])<0){
             return -1;
         }
@@ -404,9 +409,11 @@ static int read_old_huffman_tables(HYuvContext *s){
     int i;
 
     init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8);
-    read_len_table(s->len[0], &gb);
+    if(read_len_table(s->len[0], &gb)<0)
+        return -1;
     init_get_bits(&gb, classic_shift_chroma, sizeof(classic_shift_chroma)*8);
-    read_len_table(s->len[1], &gb);
+    if(read_len_table(s->len[1], &gb)<0)
+        return -1;
 
     for(i=0; i<256; i++) s->bits[0][i] = classic_add_luma  [i];
     for(i=0; i<256; i++) s->bits[1][i] = classic_add_chroma[i];

-- 
Libav/FFmpeg packaging

