ffmpeg | branch: master | Andreas Cadhalpun <andreas.cadhal...@googlemail.com> | Thu Mar 5 22:48:28 2015 +0100| [c089e720c1b753790c746a13053636d7facf6bf0] | committer: Michael Niedermayer
webp: ensure that each transform is only used once According to the WebP Lossless Bitstream Specification "each transform is allowed to be used only once". If a transform is more than once this can lead to memory corruption. Signed-off-by: Michael Niedermayer <michae...@gmx.at> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c089e720c1b753790c746a13053636d7facf6bf0 --- libavcodec/webp.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 9549c0e..47e9e9e 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1104,7 +1104,7 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, unsigned int data_size, int is_alpha_chunk) { WebPContext *s = avctx->priv_data; - int w, h, ret, i; + int w, h, ret, i, used; if (!is_alpha_chunk) { s->lossless = 1; @@ -1154,8 +1154,16 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, /* parse transformations */ s->nb_transforms = 0; s->reduced_width = 0; + used = 0; while (get_bits1(&s->gb)) { enum TransformType transform = get_bits(&s->gb, 2); + if (used & (1 << transform)) { + av_log(avctx, AV_LOG_ERROR, "Transform %d used more than once\n", + transform); + ret = AVERROR_INVALIDDATA; + goto free_and_return; + } + used |= (1 << transform); s->transforms[s->nb_transforms++] = transform; switch (transform) { case PREDICTOR_TRANSFORM: _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog