avcodec/bitstream: Check bits in ff_init_vlc_sparse()

Fixes out of array reads Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-04-18 02:47:10 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2013-04-18 02:47:50 +0200
commit: fb3e3808aed843b21dd70a70bdbc4b9f7de6a00b (patch)
tree: 47373cb89ab3827c70b46251ec13ca2648829bce /libavcodec
parent: bdfe60c769f4d4e71a360fe02f06cdb9c039cf35 (diff)
download: ffmpeg-streaming-fb3e3808aed843b21dd70a70bdbc4b9f7de6a00b.zip
ffmpeg-streaming-fb3e3808aed843b21dd70a70bdbc4b9f7de6a00b.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c
index 6bcdadb..6598d3e 100644
--- a/libavcodec/bitstream.c
+++ b/libavcodec/bitstream.c
@@ -305,6 +305,10 @@ int ff_init_vlc_sparse(VLC *vlc, int nb_bits, int nb_codes,
         GET_DATA(buf[j].bits, bits, i, bits_wrap, bits_size);\
         if (!(condition))\
             continue;\
+        if (buf[j].bits > 3*nb_bits || buf[j].bits>32) {\
+            av_log(NULL, AV_LOG_ERROR, "Too long VLC in init_vlc\n");\
+            return -1;\
+        }\
         GET_DATA(buf[j].code, codes, i, codes_wrap, codes_size);\
         if (flags & INIT_VLC_LE)\
             buf[j].code = bitswap_32(buf[j].code);\
author	Michael Niedermayer <michaelni@gmx.at>	2013-04-18 02:47:10 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2013-04-18 02:47:50 +0200
commit	fb3e3808aed843b21dd70a70bdbc4b9f7de6a00b (patch)
tree	47373cb89ab3827c70b46251ec13ca2648829bce /libavcodec
parent	bdfe60c769f4d4e71a360fe02f06cdb9c039cf35 (diff)
download	ffmpeg-streaming-fb3e3808aed843b21dd70a70bdbc4b9f7de6a00b.zip ffmpeg-streaming-fb3e3808aed843b21dd70a70bdbc4b9f7de6a00b.tar.gz