Adding more checks to canonical Huffman decoder's table initialization function. They don't seem necessary, as I didn't discover them during fuzzing. These fixes are precautionary.

2026-06-08 08:33:53 +00:00 · 2019-05-10 16:30:15 -07:00
parent 5a9c6e5b05
commit 4f08db6525
1 changed files with 22 additions and 3 deletions
--- a/transcoder/basisu_transcoder_internal.h
+++ b/transcoder/basisu_transcoder_internal.h
@@ -123,6 +123,12 @@ namespace basist
 					uint32_t k = (code_size << 16) | sym_index;
 					while (rev_code < basisu::cHuffmanFastLookupSize)
 					{
+						if (m_lookup[rev_code] != 0)
+						{
+							// Supplied codesizes can't create a valid prefix code.
+							return false;
+						}
+
 						m_lookup[rev_code] = k;
 						rev_code += (1 << code_size);
 					}
@@ -132,7 +138,14 @@ namespace basist
 				int tree_cur;
 				if (0 == (tree_cur = m_lookup[rev_code & (basisu::cHuffmanFastLookupSize - 1)]))
 				{
-					m_lookup[rev_code & (basisu::cHuffmanFastLookupSize - 1)] = tree_next;
+					const uint32_t idx = rev_code & (basisu::cHuffmanFastLookupSize - 1);
+					if (m_lookup[idx] != 0)
+					{
+						// Supplied codesizes can't create a valid prefix code.
+						return false;
+					}
+
+					m_lookup[idx] = tree_next;
 					tree_cur = tree_next;
 					tree_next -= 2;
 				}
@@ -149,7 +162,7 @@ namespace basist
 				{
 					tree_cur -= ((rev_code >>= 1) & 1);

-					int idx = -tree_cur - 1;
+					const int idx = -tree_cur - 1;
 					if (idx < 0)
 						return false;
 					else if (idx >= (int)m_tree.size())
@@ -174,12 +187,18 @@ namespace basist

 				tree_cur -= ((rev_code >>= 1) & 1);

-				int idx = -tree_cur - 1;
+				const int idx = -tree_cur - 1;
 				if (idx < 0)
 					return false;
 				else if (idx >= (int)m_tree.size())
 					m_tree.resize(idx + 1);

+				if (m_tree[idx] != 0)
+				{
+					// Supplied codesizes can't create a valid prefix code.
+					return false;
+				}
+
 				m_tree[idx] = (int16_t)sym_index;
 			}