From 1abcd972c4c0e16f1e83be2fd32a251f51b2946d Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Tue, 15 Nov 2016 00:11:30 +0100
Subject: [PATCH] mlz: limit next_code to data buffer size

This fixes a heap-buffer-overflow detected by AddressSanitizer.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
 libavcodec/mlz.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/mlz.c b/libavcodec/mlz.c
index a2d1b89cbc..ebce796ba5 100644
--- a/libavcodec/mlz.c
+++ b/libavcodec/mlz.c
@@ -166,6 +166,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
                         }
                         output_chars += ret;
                         set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
+                        if (mlz->next_code >= TABLE_SIZE - 1) {
+                            av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n");
+                            return output_chars;
+                        }
                         mlz->next_code++;
                     } else {
                         int ret = decode_string(mlz, &buff[output_chars], string_code, &char_code, size - output_chars);
@@ -177,6 +181,10 @@ int ff_mlz_decompression(MLZ* mlz, GetBitContext* gb, int size, unsigned char *b
                         if (output_chars <= size && !mlz->freeze_flag) {
                             if (last_string_code != -1) {
                                 set_new_entry_dict(dict, mlz->next_code, last_string_code, char_code);
+                                if (mlz->next_code >= TABLE_SIZE - 1) {
+                                    av_log(mlz->context, AV_LOG_ERROR, "Too many MLZ codes\n");
+                                    return output_chars;
+                                }
                                 mlz->next_code++;
                             }
                         } else {