vmdav: Try to fix unpack_rle()

This fixes out of array accesses
The code prior to this commit could not have worked, thus obviously
was untested. I was also not able to find a valid sample that uses this
code.
This fix is thus only based on the description of the format

If someone has a sample that uses unpack_rle(), please mail me.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 8 insertions, 6 deletions

diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c
index 867d8c7666..0e21aa681e 100644
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@@ -151,7 +151,7 @@ static int rle_unpack(const unsigned char *src, unsigned char *dest,
                       int src_count, int src_size, int dest_len)
 {
     unsigned char *pd;
-    int i, l;
+    int i, j, l;
     unsigned char *dest_end = dest + dest_len;
     GetByteContext gb;
 
@@ -176,13 +176,15 @@ static int rle_unpack(const unsigned char *src, unsigned char *dest,
             bytestream2_get_bufferu(&gb, pd, l);
             pd += l;
         } else {
-            if (dest_end - pd < i || bytestream2_get_bytes_left(&gb) < 2)
+            int ps[2];
+            if (dest_end - pd < 2*l || bytestream2_get_bytes_left(&gb) < 2)
                 return bytestream2_tell(&gb);
-            for (i = 0; i < l; i++) {
-                *pd++ = bytestream2_get_byteu(&gb);
-                *pd++ = bytestream2_get_byteu(&gb);
+            ps[0] = bytestream2_get_byteu(&gb);
+            ps[1] = bytestream2_get_byteu(&gb);
+            for (j = 0; j < l; j++) {
+                *pd++ = ps[0];
+                *pd++ = ps[1];
             }
-            bytestream2_skip(&gb, 2);
         }
         i += l;
     } while (i < src_count);