[FFmpeg-devel] [PATCH] mlz: limit next_code to data buffer size
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Tue Nov 15 01:12:45 EET 2016
This fixes a heap-buffer-overflow detected by AddressSanitizer.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
libavcodec/mlz.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/libavcodec/mlz.c b/libavcodec/mlz.c
index a2d1b89..ebce796 100644
--- a/libavcodec/mlz.c
+++ b/libavcodec/mlz.c
@@ -166,6 +166,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
}
output_chars += ret;
set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
+ if (mlz->next_code >= TABLE_SIZE - 1) {
+ av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n");
+ return output_chars;
+ }
mlz->next_code++;
} else {
int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
@@ -177,6 +181,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
if (output_chars <= size && !mlz->freeze_flag) {
if (last_string_code != -1) {
set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
+ if (mlz->next_code >= TABLE_SIZE - 1) {
+ av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n");
+ return output_chars;
+ }
mlz->next_code++;
}
} else {
--
2.10.2
More information about the ffmpeg-devel
mailing list