avcodec/mlz: Check output chars before using it

Fixes hypothetical integer overflow

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2016-09-08 19:55:24 +02:00
parent 0a2ca417a1
commit 47ffcddaef
1 changed files with 18 additions and 3 deletions

View File

@ -153,12 +153,27 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
mlz->bump_code = mlz->current_dic_index_max - 1;
} else {
if (string_code >= mlz->next_code) {
output_chars += decode_string(mlz, &buff[output_chars], last_string_code, &char_code, size - output_chars);
output_chars += decode_string(mlz, &buff[output_chars], char_code, &char_code, size - output_chars);
int ret = decode_string(mlz, &buff[output_chars], last_string_code, &char_code, size - output_chars);
if (ret < 0 || ret > size - output_chars) {
av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
return output_chars;
}
output_chars += ret;
ret = decode_string(mlz, &buff[output_chars], char_code, &char_code, size - output_chars);
if (ret < 0 || ret > size - output_chars) {
av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
return output_chars;
}
output_chars += ret;
set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
mlz->next_code++;
} else {
output_chars += decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
if (ret < 0 || ret > size - output_chars) {
av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
return output_chars;
}
output_chars += ret;
if (output_chars <= size && !mlz->freeze_flag) {
if (last_string_code != -1) {
set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);