From patchwork Mon Nov 14 23:12:45 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Cadhalpun X-Patchwork-Id: 1424 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.90.1 with SMTP id o1csp1298743vsb; Mon, 14 Nov 2016 15:12:54 -0800 (PST) X-Received: by 10.28.91.143 with SMTP id p137mr733229wmb.51.1479165174889; Mon, 14 Nov 2016 15:12:54 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id t6si622581wmf.1.2016.11.14.15.12.54; Mon, 14 Nov 2016 15:12:54 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@googlemail.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=QUARANTINE dis=NONE) header.from=googlemail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 334A2689E66; Tue, 15 Nov 2016 01:12:53 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm0-f67.google.com (mail-wm0-f67.google.com [74.125.82.67]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 463F9689E47 for ; Tue, 15 Nov 2016 01:12:47 +0200 (EET) Received: by mail-wm0-f67.google.com with SMTP id g23so20046170wme.1 for ; Mon, 14 Nov 2016 15:12:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:to:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=z8L4fxfbU3FbfwyHD32OxYOBFc2lns2NN073pLYUjow=; b=BNoiTEytACMax3geqIYURHFJP26vZ4/kf0Uy4BXbD9rM/yqzoJt9KfwvVOmqusoExH 3tRZGkjiJA8hWuMcEkmVpZtzwdVOiXCtG4r1tV+39L7ytsZtuvMvJgmEcKwcwboVdXVK /ArG0rgr+Vt5BmyzHRYh4FfNVNsiUP9HPqJwO7mjxTBQCZgiXainVpSR7HfsHopc8d0O a7RqyNdLjv7+Oq+u7UyS3yKgHjQg8oc3Ot+F9sqPw/67ZfnEmnMk33jt4VTcb4/gc4BZ A/9sfL0HCK9XRDDBUPP3+39TAofx/PjzUzecoGYZVeJVBvFtazR2kikqTGWR/AdvRfuN TDjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=z8L4fxfbU3FbfwyHD32OxYOBFc2lns2NN073pLYUjow=; b=Zuq7tWgjM39ayKH4dglBjjHgBDsyW1TlbPjdzeNRJVpuR54enoXp5TkFkbKD71QmBM jmAl1otmeQ3efKFGPaENrIZXRf+CLPh+qsLAFfqKCEEJ+31YjL/Qv1WtnZoqKFxi/JRB Zu+EY0/CR8Kn5Kn+Utz0uU9R6B99GDaq4vj8smmpva6MCvXdnX7ahBNREB5damquezLi RDA6CT3FRgvXrGgAMKO5RBOOwtQPqwZcmdMbdH3LOe1GnmFnje0dNLe3XyE9eykYA8h4 7r5yjByzY7dQ8VogOezuTiM/6V3f5KoODIytKOQlvB8BJy/4Fjmr+y0VPLQi3NQj7c2T lrgw== X-Gm-Message-State: ABUngvcRFdUJIaRm30QyXqz0GZnGYvUelOlagQUyibMF7cRfzm2eOfbpm2klUgjD1S8JMA== X-Received: by 10.28.166.208 with SMTP id p199mr676898wme.27.1479165166672; Mon, 14 Nov 2016 15:12:46 -0800 (PST) Received: from [192.168.2.21] (p5B0959A3.dip0.t-ipconnect.de. [91.9.89.163]) by smtp.googlemail.com with ESMTPSA id jx8sm31277838wjc.2.2016.11.14.15.12.45 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Nov 2016 15:12:46 -0800 (PST) From: Andreas Cadhalpun X-Google-Original-From: Andreas Cadhalpun To: FFmpeg development discussions and patches Message-ID: <83c83f05-404d-f9c9-5458-eb312144e1a8@googlemail.com> Date: Tue, 15 Nov 2016 00:12:45 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] mlz: limit next_code to data buffer size X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" This fixes a heap-buffer-overflow detected by AddressSanitizer. Signed-off-by: Andreas Cadhalpun --- libavcodec/mlz.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/mlz.c b/libavcodec/mlz.c index a2d1b89..ebce796 100644 --- a/libavcodec/mlz.c +++ b/libavcodec/mlz.c @@ -166,6 +166,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b } output_chars += ret; set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code); + if (mlz->next_code >= TABLE_SIZE - 1) { + av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n"); + return output_chars; + } mlz->next_code++; } else { int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars); @@ -177,6 +181,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b if (output_chars <= size && !mlz->freeze_flag) { if (last_string_code != -1) { set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code); + if (mlz->next_code >= TABLE_SIZE - 1) { + av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n"); + return output_chars; + } mlz->next_code++; } } else {