diff options
author | Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> | 2016-11-15 00:11:30 +0100 |
---|---|---|
committer | Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> | 2016-11-15 22:01:08 +0100 |
commit | 1abcd972c4c0e16f1e83be2fd32a251f51b2946d (patch) | |
tree | e958bdaee5141522744e1ae40f256da96fdd7d93 /libavcodec | |
parent | f1212e472b5f57b4f7243fc46f254647cf7e284d (diff) | |
download | ffmpeg-1abcd972c4c0e16f1e83be2fd32a251f51b2946d.tar.gz |
mlz: limit next_code to data buffer size
This fixes a heap-buffer-overflow detected by AddressSanitizer.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/mlz.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/libavcodec/mlz.c b/libavcodec/mlz.c index a2d1b89cbc..ebce796ba5 100644 --- a/libavcodec/mlz.c +++ b/libavcodec/mlz.c @@ -166,6 +166,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b } output_chars += ret; set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code); + if (mlz->next_code >= TABLE_SIZE - 1) { + av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n"); + return output_chars; + } mlz->next_code++; } else { int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars); @@ -177,6 +181,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b if (output_chars <= size && !mlz->freeze_flag) { if (last_string_code != -1) { set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code); + if (mlz->next_code >= TABLE_SIZE - 1) { + av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n"); + return output_chars; + } mlz->next_code++; } } else { |