avcodec/mlz: Check offset before writing

Fixes: 0cee183a09bff5aa5108429717c35a4d/asan_heap-oob_1d99eca_3702_9ef60e80de79082a778d3d9ce8ef3b64.mp4
Affects no release

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/mlz.c b/libavcodec/mlz.c
index acb090824f3c2924cc540a21ad9b932dd2ebf609..039635dcf154a9ee7343a50a685dfdac778d664d 100644 (file)
--- a/libavcodec/mlz.c
+++ b/libavcodec/mlz.c
@@ -81,6 +81,10 @@ static int decode_string(MLZ* mlz, unsigned char *buff, int string_code, int *fi
             } else {
                 offset  = dict[current_code].match_len - 1;
                 tmp_code = dict[current_code].char_code;
+                if (offset >= bufsize) {
+                    av_log(mlz->context, AV_LOG_ERROR, "MLZ offset error.\n");
+                    return count;
+                }
                 buff[offset] = tmp_code;
                 count++;
             }