From b6f74c3764a58f3b63e4040794e9120f7da580e2 Mon Sep 17 00:00:00 2001 From: Jiyong Min Date: Fri, 20 Apr 2018 09:49:20 +0900 Subject: [PATCH] [CVE-2017-16803] smacker: add sanity check for length in smacker_decode_tree() Bug-Id: 1098 Cc: libav-stable@libav.org Signed-off-by: Sean McGovern Change-Id: I2e2236de12a0f6dead47f671907920b4193ff9a0 --- libavcodec/smacker.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index e3e54752a..6a327af4a 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -42,7 +42,7 @@ #define SMKTREE_BITS 9 #define SMK_NODE 0x80000000 - +#define SMKTREE_DECODE_MAX_RECURSION 32 typedef struct SmackVContext { AVCodecContext *avctx; @@ -95,6 +95,11 @@ enum SmkBlockTypes { */ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t prefix, int length) { + if (length > SMKTREE_DECODE_MAX_RECURSION) { + av_log(NULL, AV_LOG_ERROR, "Maximum tree recursion level exceeded.\n"); + return AVERROR_INVALIDDATA; + } + if(!get_bits1(gb)){ //Leaf if(hc->current >= 256){ av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n"); -- 2.34.1