ffmpeg | branch: release/3.2 | Andreas Cadhalpun <andreas.cadhal...@googlemail.com> | Tue Nov 15 00:11:30 2016 +0100| [a2c7840a6b69671adec490cac375f51e09a654b4] | committer: Andreas Cadhalpun
mlz: limit next_code to data buffer size This fixes a heap-buffer-overflow detected by AddressSanitizer. Reviewed-by: Michael Niedermayer <mich...@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> (cherry picked from commit 1abcd972c4c0e16f1e83be2fd32a251f51b2946d) Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a2c7840a6b69671adec490cac375f51e09a654b4 --- libavcodec/mlz.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/mlz.c b/libavcodec/mlz.c index a2d1b89..ebce796 100644 --- a/libavcodec/mlz.c +++ b/libavcodec/mlz.c @@ -166,6 +166,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b } output_chars += ret; set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code); + if (mlz->next_code >= TABLE_SIZE - 1) { + av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n"); + return output_chars; + } mlz->next_code++; } else { int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars); @@ -177,6 +181,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b if (output_chars <= size && !mlz->freeze_flag) { if (last_string_code != -1) { set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code); + if (mlz->next_code >= TABLE_SIZE - 1) { + av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n"); + return output_chars; + } mlz->next_code++; } } else { _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog