Fixes hypothetical integer overflow
Signed-off-by: Michael Niedermayer <[email protected]>
---
libavcodec/mlz.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/libavcodec/mlz.c b/libavcodec/mlz.c
index 039635d..a2d1b89 100644
--- a/libavcodec/mlz.c
+++ b/libavcodec/mlz.c
@@ -153,12 +153,27 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int
size, unsigned char *b
mlz->bump_code = mlz->current_dic_index_max - 1;
} else {
if (string_code >= mlz->next_code) {
- output_chars += decode_string(mlz,
&buff[output_chars], last_string_code, &char_code, size - output_chars);
- output_chars += decode_string(mlz,
&buff[output_chars], char_code, &char_code, size - output_chars);
+ int ret = decode_string(mlz, &buff[output_chars],
last_string_code, &char_code, size - output_chars);
+ if (ret < 0 || ret > size - output_chars) {
+ av_log(mlz->context, AV_LOG_ERROR, "output chars
overflow\n");
+ return output_chars;
+ }
+ output_chars += ret;
+ ret = decode_string(mlz, &buff[output_chars],
char_code, &char_code, size - output_chars);
+ if (ret < 0 || ret > size - output_chars) {
+ av_log(mlz->context, AV_LOG_ERROR, "output chars
overflow\n");
+ return output_chars;
+ }
+ output_chars += ret;
set_new_entry_dict(dict, mlz->next_code,
last_string_code, char_code);
mlz->next_code++;
} else {
- output_chars += decode_string(mlz,
&buff[output_chars], string_code, &char_code, size - output_chars);
+ int ret = decode_string(mlz, &buff[output_chars],
string_code, &char_code, size - output_chars);
+ if (ret < 0 || ret > size - output_chars) {
+ av_log(mlz->context, AV_LOG_ERROR, "output chars
overflow\n");
+ return output_chars;
+ }
+ output_chars += ret;
if (output_chars <= size && !mlz->freeze_flag) {
if (last_string_code != -1) {
set_new_entry_dict(dict, mlz->next_code,
last_string_code, char_code);
--
2.9.3
_______________________________________________
ffmpeg-devel mailing list
[email protected]
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
