Merge commit '0ccddbad200c1d9439c5a836501917d515cddf76'

* commit '0ccddbad200c1d9439c5a836501917d515cddf76': smacker: limit recursion depth of smacker_decode_bigtree See 946ecd19ea Merged-by: James Almer <jamrial@gmail.com>
7 years ago · d2ad6f1192
parent b3e5899e47 0ccddbad20
commit d2ad6f1192
1 changed files with 7 additions and 3 deletions
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@ -44,6 +44,7 @@
 #define SMK_NODE 0x80000000

 #define SMKTREE_DECODE_MAX_RECURSION 32
+#define SMKTREE_DECODE_BIG_MAX_RECURSION 500

 typedef struct SmackVContext {
    AVCodecContext *avctx;
@ -131,12 +132,15 @@ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t pref
 /**
 * Decode header tree
 */
-static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx, int length)
+static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc,
+                                  DBCtx *ctx, int length)
 {
-    if(length > 500) { // Larger length can cause segmentation faults due to too deep recursion.
-        av_log(NULL, AV_LOG_ERROR, "length too long\n");
+    // Larger length can cause segmentation faults due to too deep recursion.
+    if (length > SMKTREE_DECODE_BIG_MAX_RECURSION) {
+        av_log(NULL, AV_LOG_ERROR, "Maximum bigtree recursion level exceeded.\n");
        return AVERROR_INVALIDDATA;
    }
+
    if (hc->current + 1 >= hc->length) {
        av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
        return AVERROR_INVALIDDATA;