fix a possible memory leak and crash in decompression

fusiyuan2010 · Jan 11, 2016 · 0205264 · 0205264
1 parent 6119a78
commit 0205264
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 6 deletions.
diff --git a/src/libcsc/csc_dec.cpp b/src/libcsc/csc_dec.cpp
@@ -142,7 +142,7 @@ class CSCDecoder
                     return -1;
                 }
 
-                while(len-- > 0) {
+                while(len-- > 0 && i < *size) {
                     dst[i] = dst[i-1];
                     i++;
                 }
@@ -701,6 +701,10 @@ CSCDecHandle CSCDec_Create(const CSCProps *props,
         return NULL;
     }
 
+    if (props->dict_size < 32 * KB) {
+        return NULL;
+    }
+
     CSCDecInstance *csc = (CSCDecInstance *)alloc->Alloc(alloc, sizeof(CSCDecInstance));
     csc->io = (MemIO *)alloc->Alloc(alloc, sizeof(MemIO));
     csc->io->Init(instream, props->csc_blocksize, alloc);
@@ -719,6 +723,7 @@ void CSCDec_Destroy(CSCDecHandle p)
 {
     CSCDecInstance *csc = (CSCDecInstance *)p;
     csc->decoder->Destroy();
+    csc->io->Destroy();
     ISzAlloc *alloc = csc->alloc;
     alloc->Free(alloc, csc->decoder);
     alloc->Free(alloc, csc->io);

diff --git a/src/libcsc/csc_memio.cpp b/src/libcsc/csc_memio.cpp
@@ -65,14 +65,11 @@ int MemIO::ReadBlock(uint8_t *buffer, uint32_t &size, int rc1bc0)
                 }
 
                 DataBlock dummy;
-                dummy.next = rc1bc0 ? bc_blocks_ : rc_blocks_;
+                dummy.next = *blist;
                 DataBlock *p = &dummy;
                 while(p->next) p = p->next;
                 p->next = newblock;
-                if (rc1bc0)
-                    bc_blocks_ = dummy.next;
-                else
-                    rc_blocks_ = dummy.next;
+                *blist = dummy.next;
             }
         }
     }
@@ -116,3 +113,16 @@ void MemIO::Init(void *iostream, uint32_t bsize, ISzAlloc *alloc)
 }
 
 
+void MemIO::Destroy() {
+    while (rc_blocks_) {
+        DataBlock *next = rc_blocks_->next;
+        alloc_->Free(alloc_, rc_blocks_);
+        rc_blocks_ = next;
+    }
+
+    while (bc_blocks_) {
+        DataBlock *next = bc_blocks_->next;
+        alloc_->Free(alloc_, bc_blocks_);
+        bc_blocks_ = next;
+    }
+}
diff --git a/src/libcsc/csc_memio.h b/src/libcsc/csc_memio.h
@@ -32,6 +32,7 @@ class MemIO
 
 public:
     void Init(void *iostream, uint32_t bsize, ISzAlloc *alloc);
+    void Destroy();
 
     uint32_t GetBlockSize() { return bsize_; }
-Original file line number
+Diff line change
@@ Expand Up / @@ -32,6 +32,7 @@ class MemIO @@
     public:
         void Init(void *iostream, uint32_t bsize, ISzAlloc *alloc);
+        void Destroy();
         uint32_t GetBlockSize() { return bsize_; }
@@ Expand Down @@