From d1334fab736788ec4ee0735145a1ba5d6eb0a77f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 7 Aug 2018 12:10:14 +1000 Subject: [PATCH] AP_ROMFS: fixed error handling in tinflate coverity CID308327 --- libraries/AP_ROMFS/tinflate.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libraries/AP_ROMFS/tinflate.cpp b/libraries/AP_ROMFS/tinflate.cpp index 4aa61a4ae5..bf9bb19635 100644 --- a/libraries/AP_ROMFS/tinflate.cpp +++ b/libraries/AP_ROMFS/tinflate.cpp @@ -328,6 +328,9 @@ static int tinf_decode_trees(TINF_DATA *d, TINF_TREE *lt, TINF_TREE *dt) switch (sym) { case 16: + if (num == 0) { + return TINF_DATA_ERROR; + } /* copy previous code length 3-6 times (read 2 bits) */ fill_value = lengths[num - 1]; lbits = 2; @@ -398,6 +401,9 @@ static int tinf_inflate_block_data(TINF_DATA *d, TINF_TREE *lt, TINF_TREE *dt) d->curlen = tinf_read_bits(d, length_bits[sym], length_base[sym]); dist = tinf_decode_symbol(d, dt); + if (dist < 0) { + return dist; + } /* possibly get more bits from distance code */ offs = tinf_read_bits(d, dist_bits[dist], dist_base[dist]); if (d->dict_ring) {