From c359c51947c9ac925cc4a5d1893ef20ea1d3b4c8 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon, 14 Aug 2017 00:15:54 +0200
Subject: [PATCH] avcodec/rangecoder: Do not increase the pointer beyond the
 buffer

Fixes: undefined behavior

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/rangecoder.c | 1 +
 libavcodec/rangecoder.h | 8 ++++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/libavcodec/rangecoder.c b/libavcodec/rangecoder.c
index 0bb79c880e..0d53bef076 100644
--- a/libavcodec/rangecoder.c
+++ b/libavcodec/rangecoder.c
@@ -58,6 +58,7 @@ av_cold void ff_init_range_decoder(RangeCoder *c, const uint8_t *buf,
 
     c->low         = AV_RB16(c->bytestream);
     c->bytestream += 2;
+    c->overread    = 0;
     if (c->low >= 0xFF00) {
         c->low = 0xFF00;
         c->bytestream_end = c->bytestream;
diff --git a/libavcodec/rangecoder.h b/libavcodec/rangecoder.h
index c3e81d0dcb..44af88b8f5 100644
--- a/libavcodec/rangecoder.h
+++ b/libavcodec/rangecoder.h
@@ -42,6 +42,8 @@ typedef struct RangeCoder {
     uint8_t *bytestream_start;
     uint8_t *bytestream;
     uint8_t *bytestream_end;
+    int overread;
+#define MAX_OVERREAD 2
 } RangeCoder;
 
 void ff_init_range_encoder(RangeCoder *c, uint8_t *buf, int buf_size);
@@ -106,9 +108,11 @@ static inline void refill(RangeCoder *c)
     if (c->range < 0x100) {
         c->range <<= 8;
         c->low   <<= 8;
-        if (c->bytestream < c->bytestream_end)
+        if (c->bytestream < c->bytestream_end) {
             c->low += c->bytestream[0];
-        c->bytestream++;
+            c->bytestream++;
+        } else
+            c->overread ++;
     }
 }