avcodec/mlz: Check output chars before using it

Fixes hypothetical integer overflow Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-09-08 19:55:24 +02:00 · 2016-09-08 19:55:24 +02:00 · 47ffcddaef
commit 47ffcddaef
parent 0a2ca417a1
1 changed files with 18 additions and 3 deletions
--- a/libavcodec/mlz.c
+++ b/libavcodec/mlz.c
@ -153,12 +153,27 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
                    mlz->bump_code = mlz->current_dic_index_max - 1;
                } else {
                    if (string_code >= mlz->next_code) {
-                        output_chars += decode_string(mlz, &buff[output_chars], last_string_code, &char_code, size - output_chars);
-                        output_chars += decode_string(mlz, &buff[output_chars], char_code, &char_code, size - output_chars);
+                        int ret = decode_string(mlz, &buff[output_chars], last_string_code, &char_code, size - output_chars);
+                        if (ret < 0 || ret > size - output_chars) {
+                            av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
+                            return output_chars;
+                        }
+                        output_chars += ret;
+                        ret = decode_string(mlz, &buff[output_chars], char_code, &char_code, size - output_chars);
+                        if (ret < 0 || ret > size - output_chars) {
+                            av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
+                            return output_chars;
+                        }
+                        output_chars += ret;
                        set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
                        mlz->next_code++;
                    } else {
-                        output_chars += decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
+                        int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
+                        if (ret < 0 || ret > size - output_chars) {
+                            av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
+                            return output_chars;
+                        }
+                        output_chars += ret;
                        if (output_chars <= size && !mlz->freeze_flag) {
                            if (last_string_code != -1) {
                                set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);