From 47ffcddaefeeb5c994af2ae2a09f34a91bc1ed28 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Sep 2016 19:55:24 +0200 Subject: [PATCH] avcodec/mlz: Check output chars before using it Fixes hypothetical integer overflow Signed-off-by: Michael Niedermayer --- libavcodec/mlz.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/libavcodec/mlz.c b/libavcodec/mlz.c index 039635dcf1..a2d1b89cbc 100644 --- a/libavcodec/mlz.c +++ b/libavcodec/mlz.c @@ -153,12 +153,27 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b mlz->bump_code = mlz->current_dic_index_max - 1; } else { if (string_code >= mlz->next_code) { - output_chars += decode_string(mlz, &buff[output_chars], last_string_code, &char_code, size - output_chars); - output_chars += decode_string(mlz, &buff[output_chars], char_code, &char_code, size - output_chars); + int ret = decode_string(mlz, &buff[output_chars], last_string_code, &char_code, size - output_chars); + if (ret < 0 || ret > size - output_chars) { + av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n"); + return output_chars; + } + output_chars += ret; + ret = decode_string(mlz, &buff[output_chars], char_code, &char_code, size - output_chars); + if (ret < 0 || ret > size - output_chars) { + av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n"); + return output_chars; + } + output_chars += ret; set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code); mlz->next_code++; } else { - output_chars += decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars); + int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars); + if (ret < 0 || ret > size - output_chars) { + av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n"); + return output_chars; + } + output_chars += ret; if (output_chars <= size && !mlz->freeze_flag) { if (last_string_code != -1) { set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);