avcodec/mlz: Check offset before writing

Fixes: 0cee183a09bff5aa5108429717c35a4d/asan_heap-oob_1d99eca_3702_9ef60e80de79082a778d3d9ce8ef3b64.mp4 Affects no release Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/mlz: Check offset before writing
Fixes: 0cee183a09bff5aa5108429717c35a4d/asan_heap-oob_1d99eca_3702_9ef60e80de79082a778d3d9ce8ef3b64.mp4 Affects no release Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
c0fc83ed · Michael Niedermayer · 2f7a12fa · c0fc83ed
Commit c0fc83ed authored Sep 08, 2016 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

mlz.c libavcodec/mlz.c +4 -0

No files found.
--- a/libavcodec/mlz.c
+++ b/libavcodec/mlz.c
@@ -81,6 +81,10 @@ static int decode_string(MLZ* mlz, unsigned char *buff, int string_code, int *fi
            } else {
                offset  = dict[current_code].match_len - 1;
                tmp_code = dict[current_code].char_code;
+                if (offset >= bufsize) {
+                    av_log(mlz->context, AV_LOG_ERROR, "MLZ offset error.\n");
+                    return count;
+                }
                buff[offset] = tmp_code;
                count++;
            }