Message ID | 83c83f05-404d-f9c9-5458-eb312144e1a8@googlemail.com |
---|---|
State | Accepted |
Commit | 1abcd972c4c0e16f1e83be2fd32a251f51b2946d |
Headers | show |
On Tue, Nov 15, 2016 at 12:12:45AM +0100, Andreas Cadhalpun wrote: > This fixes a heap-buffer-overflow detected by AddressSanitizer. > > Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> > --- > libavcodec/mlz.c | 8 ++++++++ > 1 file changed, 8 insertions(+) Probably ok thx [...]
On 15.11.2016 10:55, Michael Niedermayer wrote: > On Tue, Nov 15, 2016 at 12:12:45AM +0100, Andreas Cadhalpun wrote: >> This fixes a heap-buffer-overflow detected by AddressSanitizer. >> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> >> --- >> libavcodec/mlz.c | 8 ++++++++ >> 1 file changed, 8 insertions(+) > > Probably ok Pushed. Best regards, Andreas
diff --git a/libavcodec/mlz.c b/libavcodec/mlz.c index a2d1b89..ebce796 100644 --- a/libavcodec/mlz.c +++ b/libavcodec/mlz.c @@ -166,6 +166,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b } output_chars += ret; set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code); + if (mlz->next_code >= TABLE_SIZE - 1) { + av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n"); + return output_chars; + } mlz->next_code++; } else { int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars); @@ -177,6 +181,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b if (output_chars <= size && !mlz->freeze_flag) { if (last_string_code != -1) { set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code); + if (mlz->next_code >= TABLE_SIZE - 1) { + av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n"); + return output_chars; + } mlz->next_code++; } } else {
This fixes a heap-buffer-overflow detected by AddressSanitizer. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> --- libavcodec/mlz.c | 8 ++++++++ 1 file changed, 8 insertions(+)