indeo3dec: check mv bitstream pointer

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-03-26 22:11:53 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2012-03-26 22:22:51 +0200
commit: a84851bef8b7c99708ac5c7d0cddd6f8a7ee4d9e (patch)
tree: 68f156868fb5edfb6a9aecc41ca4fe444cdc7be3 /libavcodec/indeo3.c
parent: 8a521d57b30c86a222c99a8c65d663cd227ea834 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 62cd835a9b..c24252a043 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -801,6 +801,10 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
                 /* get motion vector index and setup the pointer to the mv set */
                 if (!ctx->need_resync)
                     ctx->next_cell_data = &ctx->gb.buffer[(get_bits_count(&ctx->gb) + 7) >> 3];
+                if (ctx->next_cell_data >= ctx->last_byte) {
+                    av_log(avctx, AV_LOG_ERROR, "motion vector out of array\n");
+                    return AVERROR_INVALIDDATA;
+                }
                 mv_idx = *(ctx->next_cell_data++);
                 if (mv_idx >= ctx->num_vectors) {
                     av_log(avctx, AV_LOG_ERROR, "motion vector index out of range\n");
author	Michael Niedermayer <michaelni@gmx.at>	2012-03-26 22:11:53 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2012-03-26 22:22:51 +0200
commit	a84851bef8b7c99708ac5c7d0cddd6f8a7ee4d9e (patch)
tree	68f156868fb5edfb6a9aecc41ca4fe444cdc7be3 /libavcodec/indeo3.c
parent	8a521d57b30c86a222c99a8c65d663cd227ea834 (diff)