mirror of https://git.ffmpeg.org/ffmpeg.git
avcodec/mlz: Check output chars before using it
Fixes hypothetical integer overflow Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
0a2ca417a1
commit
47ffcddaef
|
@ -153,12 +153,27 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
|
|||
mlz->bump_code = mlz->current_dic_index_max - 1;
|
||||
} else {
|
||||
if (string_code >= mlz->next_code) {
|
||||
output_chars += decode_string(mlz, &buff[output_chars], last_string_code, &char_code, size - output_chars);
|
||||
output_chars += decode_string(mlz, &buff[output_chars], char_code, &char_code, size - output_chars);
|
||||
int ret = decode_string(mlz, &buff[output_chars], last_string_code, &char_code, size - output_chars);
|
||||
if (ret < 0 || ret > size - output_chars) {
|
||||
av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
|
||||
return output_chars;
|
||||
}
|
||||
output_chars += ret;
|
||||
ret = decode_string(mlz, &buff[output_chars], char_code, &char_code, size - output_chars);
|
||||
if (ret < 0 || ret > size - output_chars) {
|
||||
av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
|
||||
return output_chars;
|
||||
}
|
||||
output_chars += ret;
|
||||
set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
|
||||
mlz->next_code++;
|
||||
} else {
|
||||
output_chars += decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
|
||||
int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
|
||||
if (ret < 0 || ret > size - output_chars) {
|
||||
av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
|
||||
return output_chars;
|
||||
}
|
||||
output_chars += ret;
|
||||
if (output_chars <= size && !mlz->freeze_flag) {
|
||||
if (last_string_code != -1) {
|
||||
set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
|
||||
|
|
Loading…
Reference in New Issue