avcodec/mlz: Check output chars before using it

Fixes hypothetical integer overflow Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2016-09-08 19:55:24 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2016-09-21 16:28:14 +0200
commit: 47ffcddaefeeb5c994af2ae2a09f34a91bc1ed28 (patch)
tree: 927a2930b4ec1350588212a32b4bf9de29f0869d
parent: 0a2ca417a1d768ac2011e7f6c655d162051c3eb1 (diff)
download: ffmpeg-47ffcddaefeeb5c994af2ae2a09f34a91bc1ed28.tar.gz
1 files changed, 18 insertions, 3 deletions
diff --git a/libavcodec/mlz.c b/libavcodec/mlz.c
index 039635dcf1..a2d1b89cbc 100644
--- a/libavcodec/mlz.c
+++ b/libavcodec/mlz.c
@@ -153,12 +153,27 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
                     mlz->bump_code = mlz->current_dic_index_max - 1;
                 } else {
                     if (string_code >= mlz->next_code) {
-                        output_chars += decode_string(mlz, &buff[output_chars], last_string_code, &char_code, size - output_chars);
-                        output_chars += decode_string(mlz, &buff[output_chars], char_code, &char_code, size - output_chars);
+                        int ret = decode_string(mlz, &buff[output_chars], last_string_code, &char_code, size - output_chars);
+                        if (ret < 0 || ret > size - output_chars) {
+                            av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
+                            return output_chars;
+                        }
+                        output_chars += ret;
+                        ret = decode_string(mlz, &buff[output_chars], char_code, &char_code, size - output_chars);
+                        if (ret < 0 || ret > size - output_chars) {
+                            av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
+                            return output_chars;
+                        }
+                        output_chars += ret;
                         set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
                         mlz->next_code++;
                     } else {
-                        output_chars += decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
+                        int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
+                        if (ret < 0 || ret > size - output_chars) {
+                            av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
+                            return output_chars;
+                        }
+                        output_chars += ret;
                         if (output_chars <= size && !mlz->freeze_flag) {
                             if (last_string_code != -1) {
                                 set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
author	Michael Niedermayer <michael@niedermayer.cc>	2016-09-08 19:55:24 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2016-09-21 16:28:14 +0200
commit	47ffcddaefeeb5c994af2ae2a09f34a91bc1ed28 (patch)
tree	927a2930b4ec1350588212a32b4bf9de29f0869d
parent	0a2ca417a1d768ac2011e7f6c655d162051c3eb1 (diff)
download	ffmpeg-47ffcddaefeeb5c994af2ae2a09f34a91bc1ed28.tar.gz