vmnc: check input size before reading chunk header, fix overread

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-11-14 02:50:59 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-11-14 02:51:38 +0100
commit: 39c5cd601ef09b1a540471960cb3a7e3ba17cb3c (patch)
tree: 175614b361fb2536919f8a438d804729636b3e9d /libavcodec/vmnc.c
parent: b61658829b2f94126196b0accca4e4703fba2c1f (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c
index 62a1312de6..d3c86f1f97 100644
--- a/libavcodec/vmnc.c
+++ b/libavcodec/vmnc.c
@@ -332,6 +332,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
     src += 2;
     chunks = AV_RB16(src); src += 2;
     while(chunks--) {
+        if(buf_size - (src - buf) < 12) {
+            av_log(avctx, AV_LOG_ERROR, "Premature end of data!\n");
+            return -1;
+        }
         dx = AV_RB16(src); src += 2;
         dy = AV_RB16(src); src += 2;
         w  = AV_RB16(src); src += 2;
author	Michael Niedermayer <michaelni@gmx.at>	2012-11-14 02:50:59 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-11-14 02:51:38 +0100
commit	39c5cd601ef09b1a540471960cb3a7e3ba17cb3c (patch)
tree	175614b361fb2536919f8a438d804729636b3e9d /libavcodec/vmnc.c
parent	b61658829b2f94126196b0accca4e4703fba2c1f (diff)