[FFmpeg-devel] [PATCH] avcodec/mlz: Check output chars before using it

Michael Niedermayer michael at niedermayer.cc
Thu Sep 8 21:42:59 EEST 2016


Fixes hypothetical integer overflow

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavcodec/mlz.c | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/libavcodec/mlz.c b/libavcodec/mlz.c
index 039635d..a2d1b89 100644
--- a/libavcodec/mlz.c
+++ b/libavcodec/mlz.c
@@ -153,12 +153,27 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
                     mlz->bump_code = mlz->current_dic_index_max - 1;
                 } else {
                     if (string_code >= mlz->next_code) {
-                        output_chars += decode_string(mlz, &buff[output_chars], last_string_code, &char_code, size - output_chars);
-                        output_chars += decode_string(mlz, &buff[output_chars], char_code, &char_code, size - output_chars);
+                        int ret = decode_string(mlz, &buff[output_chars], last_string_code, &char_code, size - output_chars);
+                        if (ret < 0 || ret > size - output_chars) {
+                            av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
+                            return output_chars;
+                        }
+                        output_chars += ret;
+                        ret = decode_string(mlz, &buff[output_chars], char_code, &char_code, size - output_chars);
+                        if (ret < 0 || ret > size - output_chars) {
+                            av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
+                            return output_chars;
+                        }
+                        output_chars += ret;
                         set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
                         mlz->next_code++;
                     } else {
-                        output_chars += decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
+                        int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
+                        if (ret < 0 || ret > size - output_chars) {
+                            av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
+                            return output_chars;
+                        }
+                        output_chars += ret;
                         if (output_chars <= size && !mlz->freeze_flag) {
                             if (last_string_code != -1) {
                                 set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
-- 
2.9.3



More information about the ffmpeg-devel mailing list