[FFmpeg-cvslog] mlz: limit next_code to data buffer size
Andreas Cadhalpun
git at videolan.org
Fri Nov 18 01:08:42 EET 2016
ffmpeg | branch: release/3.2 | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Tue Nov 15 00:11:30 2016 +0100| [a2c7840a6b69671adec490cac375f51e09a654b4] | committer: Andreas Cadhalpun
mlz: limit next_code to data buffer size
This fixes a heap-buffer-overflow detected by AddressSanitizer.
Reviewed-by: Michael Niedermayer <michael at niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
(cherry picked from commit 1abcd972c4c0e16f1e83be2fd32a251f51b2946d)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a2c7840a6b69671adec490cac375f51e09a654b4
---
libavcodec/mlz.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/libavcodec/mlz.c b/libavcodec/mlz.c
index a2d1b89..ebce796 100644
--- a/libavcodec/mlz.c
+++ b/libavcodec/mlz.c
@@ -166,6 +166,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
}
output_chars += ret;
set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
+ if (mlz->next_code >= TABLE_SIZE - 1) {
+ av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n");
+ return output_chars;
+ }
mlz->next_code++;
} else {
int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
@@ -177,6 +181,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
if (output_chars <= size && !mlz->freeze_flag) {
if (last_string_code != -1) {
set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
+ if (mlz->next_code >= TABLE_SIZE - 1) {
+ av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n");
+ return output_chars;
+ }
mlz->next_code++;
}
} else {
More information about the ffmpeg-cvslog
mailing list