@@ -153,12 +153,27 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
mlz->bump_code = mlz->current_dic_index_max - 1;
} else {
if (string_code >= mlz->next_code) {
- output_chars += decode_string(mlz, &buff[output_chars], last_string_code, &char_code, size - output_chars);
- output_chars += decode_string(mlz, &buff[output_chars], char_code, &char_code, size - output_chars);
+ int ret = decode_string(mlz, &buff[output_chars], last_string_code, &char_code, size - output_chars);
+ if (ret < 0 || ret > size - output_chars) {
+ av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
+ return output_chars;
+ }
+ output_chars += ret;
+ ret = decode_string(mlz, &buff[output_chars], char_code, &char_code, size - output_chars);
+ if (ret < 0 || ret > size - output_chars) {
+ av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
+ return output_chars;
+ }
+ output_chars += ret;
set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
mlz->next_code++;
} else {
- output_chars += decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
+ int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
+ if (ret < 0 || ret > size - output_chars) {
+ av_log(mlz->context, AV_LOG_ERROR, "output chars overflow\n");
+ return output_chars;
+ }
+ output_chars += ret;
if (output_chars <= size && !mlz->freeze_flag) {
if (last_string_code != -1) {
set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
Fixes hypothetical integer overflow Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/mlz.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-)