According to the WebP Lossless Bitstream Specification
"each transform is allowed to be used only once".
If a transform is more than once this can lead to memory
corruption.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit
c089e720c1b753790c746a13053636d7facf6bf0)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
unsigned int data_size, int is_alpha_chunk)
{
WebPContext *s = avctx->priv_data;
unsigned int data_size, int is_alpha_chunk)
{
WebPContext *s = avctx->priv_data;
+ int w, h, ret, i, used;
if (!is_alpha_chunk) {
s->lossless = 1;
if (!is_alpha_chunk) {
s->lossless = 1;
/* parse transformations */
s->nb_transforms = 0;
s->reduced_width = 0;
/* parse transformations */
s->nb_transforms = 0;
s->reduced_width = 0;
while (get_bits1(&s->gb)) {
enum TransformType transform = get_bits(&s->gb, 2);
while (get_bits1(&s->gb)) {
enum TransformType transform = get_bits(&s->gb, 2);
+ if (used & (1 << transform)) {
+ av_log(avctx, AV_LOG_ERROR, "Transform %d used more than once\n",
+ transform);
+ ret = AVERROR_INVALIDDATA;
+ goto free_and_return;
+ }
+ used |= (1 << transform);
s->transforms[s->nb_transforms++] = transform;
switch (transform) {
case PREDICTOR_TRANSFORM:
s->transforms[s->nb_transforms++] = transform;
switch (transform) {
case PREDICTOR_TRANSFORM: