From 66ff90f4a3d81c25feaa672dc8cc9cc88017753d Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Wed, 14 Nov 2012 03:33:06 +0100
Subject: 8bps: check index against buffer size before reading line length
 pointer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/8bps.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c
index a6d0a1b92e..f895ed39a8 100644
--- a/libavcodec/8bps.c
+++ b/libavcodec/8bps.c
@@ -98,6 +98,8 @@ static int decode_frame(AVCodecContext *avctx, void *data,
         for (row = 0; row < height; row++) {
             pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p];
             pixptr_end = pixptr + c->pic.linesize[0];
+            if(lp - encoded + row*2 + 1 >= buf_size)
+                return -1;
             dlen = av_be2ne16(*(const unsigned short *)(lp + row * 2));
             /* Decode a row of this plane */
             while (dlen > 0) {
-- 
cgit v1.2.3