From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> This fixes segmentation faults due to stack-overflow caused by too deep recursion.
Reviewed-by: Michael Niedermayer <mich...@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> Signed-off-by: Sean McGovern <gsean...@gmail.com> --- libavcodec/smacker.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index e829405..018892b 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -133,8 +133,13 @@ static int smacker_decode_tree(BitstreamContext *bc, HuffContext *hc, * Decode header tree */ static int smacker_decode_bigtree(BitstreamContext *bc, HuffContext *hc, - DBCtx *ctx) + DBCtx *ctx, int length) { + if(length > 500) { // Larger length can cause segmentation faults due to too deep recursion. + av_log(NULL, AV_LOG_ERROR, "length too long\n"); + return AVERROR_INVALIDDATA; + } + if (hc->current + 1 >= hc->length) { av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); return AVERROR_INVALIDDATA; @@ -163,12 +168,12 @@ static int smacker_decode_bigtree(BitstreamContext *bc, HuffContext *hc, int r = 0, r_new, t; t = hc->current++; - r = smacker_decode_bigtree(bc, hc, ctx); + r = smacker_decode_bigtree(bc, hc, ctx, length + 1); if(r < 0) return r; hc->values[t] = SMK_NODE | r; r++; - r_new = smacker_decode_bigtree(bc, hc, ctx); + r_new = smacker_decode_bigtree(bc, hc, ctx, length + 1); if (r_new < 0) return r_new; return r + r_new; @@ -269,7 +274,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, BitstreamContext *bc, goto error; } - if ((res = smacker_decode_bigtree(bc, &huff, &ctx)) < 0) + if ((res = smacker_decode_bigtree(bc, &huff, &ctx, 0)) < 0) err = res; bitstream_skip(bc, 1); if(ctx.last[0] == -1) ctx.last[0] = huff.current++; -- 2.7.4 _______________________________________________ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel