highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mlz: limit next_code to data buffer size

Browse Source 
This fixes a heap-buffer-overflow detected by AddressSanitizer.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1abcd972c4)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This commit is contained in:
Andreas Cadhalpun
2016-11-15 00:11:30 +01:00
parent c8f5154fc1
commit a2c7840a6b
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
libavcodec/mlz.c
View File

@@ -166,6 +166,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
} }
output_chars += ret; output_chars += ret;
set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code); set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
if (mlz->next_code >= TABLE_SIZE - 1) {
av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n");
return output_chars;
}
mlz->next_code++; mlz->next_code++;
} else { } else {
int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars); int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
@@ -177,6 +181,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
if (output_chars <= size && !mlz->freeze_flag) { if (output_chars <= size && !mlz->freeze_flag) {
if (last_string_code != -1) { if (last_string_code != -1) {
set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code); set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
if (mlz->next_code >= TABLE_SIZE - 1) {
av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n");
return output_chars;
}
mlz->next_code++; mlz->next_code++;
} }
} else { } else {