falkTX
/
FFmpeg
mirror of https://github.com/falkTX/FFmpeg.git
1
0
Fork 0
Code Issues 0 Releases 338 Wiki Activity
Browse Source

avcodec/truemotion2: Check huffman code max bits 

Fixes: Timeout
Fixes: 10984/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-6643310750859264

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
tags/n4.2
Michael Niedermayer 7 years ago
parent
3fc7b69496
commit
77bf85515e
1 changed files with 14 additions and 5 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +14
    -5
      libavcodec/truemotion2.c

+ 14
- 5
libavcodec/truemotion2.c View File

@@ -112,9 +112,13 @@ typedef struct TM2Huff {
int *lens; ///< codelengths
} TM2Huff;

/**
*
* @returns the length of the longest code or an AVERROR code
*/
static int tm2_read_tree(TM2Context *ctx, uint32_t prefix, int length, TM2Huff *huff)
{
int ret;
int ret, ret2;
if (length > huff->max_bits) {
av_log(ctx->avctx, AV_LOG_ERROR, "Tree exceeded its given depth (%i)\n",
huff->max_bits);
@@ -133,14 +137,14 @@ static int tm2_read_tree(TM2Context *ctx, uint32_t prefix, int length, TM2Huff *
huff->bits[huff->num] = prefix;
huff->lens[huff->num] = length;
huff->num++;
return 0;
return length;
} else { /* non-terminal node */
if ((ret = tm2_read_tree(ctx, prefix << 1, length + 1, huff)) < 0)
return ret;
if ((ret2 = tm2_read_tree(ctx, prefix << 1, length + 1, huff)) < 0)
return ret2;
if ((ret = tm2_read_tree(ctx, (prefix << 1) | 1, length + 1, huff)) < 0)
return ret;
}
return 0;
return FFMAX(ret, ret2);
}

static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code)
@@ -183,6 +187,11 @@ static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code)

res = tm2_read_tree(ctx, 0, 0, &huff);

if (res >= 0 && res != huff.max_bits) {
av_log(ctx->avctx, AV_LOG_ERROR, "Got less bits than expected: %i of %i\n",
res, huff.max_bits);
res = AVERROR_INVALIDDATA;
}
if (huff.num != huff.max_num) {
av_log(ctx->avctx, AV_LOG_ERROR, "Got less codes than expected: %i of %i\n",
huff.num, huff.max_num);


Write Preview
Loading…
Cancel
Save