paf: prevent invalid write

Closes #1631. Signed-off-by: Paul B Mahol <onemda@gmail.com>
author: Paul B Mahol <onemda@gmail.com> 2012-08-13 12:26:38 +0000
committer: Paul B Mahol <onemda@gmail.com> 2012-08-13 12:27:58 +0000
commit: bd70a527129a1c049a8ab38236bf87f7d459df10 (patch)
tree: 975b8d9d116155849f3493631851bbe9cd72a562
parent: c3da2c19e4e5e95dcc598ea303c70485c51fac6d (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/libavcodec/paf.c b/libavcodec/paf.c
index 8b3c46f66b..1c3e8b8fcd 100644
--- a/libavcodec/paf.c
+++ b/libavcodec/paf.c
@@ -164,14 +164,16 @@ static int decode_0(AVCodecContext *avctx, uint8_t code, uint8_t *pkt)
         } while (--i);
     }
 
-    dst = c->frame[c->current_frame];
+    dst  = c->frame[c->current_frame];
+    dend = c->frame[c->current_frame] + c->frame_size;
     do {
         a    = bytestream2_get_byte(&c->gb);
         b    = bytestream2_get_byte(&c->gb);
         p    = (a & 0xC0) >> 6;
         src  = c->frame[p] + get_video_page_offset(avctx, a, b);
         send = c->frame[p] + c->frame_size;
-        if (src + 3 * avctx->width + 4 > send)
+        if ((src + 3 * avctx->width + 4 > send) ||
+            (dst + 3 * avctx->width + 4 > dend))
             return AVERROR_INVALIDDATA;
         copy_block4(dst, src, avctx->width, avctx->width, 4);
         i++;
author	Paul B Mahol <onemda@gmail.com>	2012-08-13 12:26:38 +0000
committer	Paul B Mahol <onemda@gmail.com>	2012-08-13 12:27:58 +0000
commit	bd70a527129a1c049a8ab38236bf87f7d459df10 (patch)
tree	975b8d9d116155849f3493631851bbe9cd72a562
parent	c3da2c19e4e5e95dcc598ea303c70485c51fac6d (diff)