[FFmpeg-cvslog] avcodec/mlz: Check output chars before using it

Michael Niedermayer git at videolan.org
Wed Sep 21 17:49:21 EEST 2016


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Thu Sep  8 19:55:24 2016 +0200| [47ffcddaefeeb5c994af2ae2a09f34a91bc1ed28] | committer: Michael Niedermayer

avcodec/mlz: Check output chars before using it

Fixes hypothetical integer overflow

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=47ffcddaefeeb5c994af2ae2a09f34a91bc1ed28
---

 libavcodec/mlz.c | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/libavcodec/mlz.c b/libavcodec/mlz.c
index 039635d..a2d1b89 100644
--- a/libavcodec/mlz.c
+++ b/libavcodec/mlz.c
@@ -153,12 +153,27 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
                     mlz->bump_code = mlz->current_dic_index_max - 1;
                 } else {
                     if (string_code >= mlz->next_code) {
-                        output_chars += decode_string(mlz, &buff[output_chars], last_string_code, &char_code, size - output_chars);
-                        output_chars += decode_string(mlz, &buff[output_chars], char_code, &char_code, size - output_chars);
+                        int ret = decode_string(mlz, &buff[output_chars], last_string_code, &char_code, size - output_chars);
+                        if (ret < 0 || ret > size - output_chars) {
+                            av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
+                            return output_chars;
+                        }
+                        output_chars += ret;
+                        ret = decode_string(mlz, &buff[output_chars], char_code, &char_code, size - output_chars);
+                        if (ret < 0 || ret > size - output_chars) {
+                            av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
+                            return output_chars;
+                        }
+                        output_chars += ret;
                         set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
                         mlz->next_code++;
                     } else {
-                        output_chars += decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
+                        int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
+                        if (ret < 0 || ret > size - output_chars) {
+                            av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
+                            return output_chars;
+                        }
+                        output_chars += ret;
                         if (output_chars <= size && !mlz->freeze_flag) {
                             if (last_string_code != -1) {
                                 set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);



More information about the ffmpeg-cvslog mailing list