xenia-project/FFmpeg
1
0
Fork 0
mirror of https://github.com/xenia-project/FFmpeg.git synced 2024-11-28 05:50:43 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

avcodec/truemotion2: Check huffman code max bits

Browse Source 
Fixes: Timeout
Fixes: 10984/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-6643310750859264

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2018-11-19 23:47:13 +01:00
parent 3fc7b69496
commit 77bf85515e
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
libavcodec/truemotion2.c
View File

@ -112,9 +112,13 @@ typedef struct TM2Huff {
int *lens; ///< codelengths
} TM2Huff;
/**
*
* @returns the length of the longest code or an AVERROR code
*/
static int tm2_read_tree(TM2Context *ctx, uint32_t prefix, int length, TM2Huff *huff)
{
int ret;
int ret, ret2;
if (length > huff->max_bits) {
av_log(ctx->avctx, AV_LOG_ERROR, "Tree exceeded its given depth (%i)\n",
huff->max_bits);
@ -133,14 +137,14 @@ static int tm2_read_tree(TM2Context *ctx, uint32_t prefix, int length, TM2Huff *
huff->bits[huff->num] = prefix;
huff->lens[huff->num] = length;
huff->num++;
return 0;
return length;
} else { /* non-terminal node */
if ((ret = tm2_read_tree(ctx, prefix << 1, length + 1, huff)) < 0)
return ret;
if ((ret2 = tm2_read_tree(ctx, prefix << 1, length + 1, huff)) < 0)
return ret2;
if ((ret = tm2_read_tree(ctx, (prefix << 1) | 1, length + 1, huff)) < 0)
return ret;
}
return 0;
return FFMAX(ret, ret2);
}
static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code)
@ -183,6 +187,11 @@ static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code)
res = tm2_read_tree(ctx, 0, 0, &huff);
if (res >= 0 && res != huff.max_bits) {
av_log(ctx->avctx, AV_LOG_ERROR, "Got less bits than expected: %i of %i\n",
res, huff.max_bits);
res = AVERROR_INVALIDDATA;
}
if (huff.num != huff.max_num) {
av_log(ctx->avctx, AV_LOG_ERROR, "Got less codes than expected: %i of %i\n",
huff.num, huff.max_num);