From 7bf9647264308d2df74b2b50669f2d02a7ecc90b Mon Sep 17 00:00:00 2001
From: Federico Tomassetti <federico@tomassetti.me>
Date: Thu, 13 Aug 2015 15:35:53 +0200
Subject: vp7: bound checking in vp7_decode_frame_header

CC: libav-stable@libav.org
---
 libavcodec/vp8.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
index f11076a6ed..55ebae69fd 100644
--- a/libavcodec/vp8.c
+++ b/libavcodec/vp8.c
@@ -480,6 +480,10 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si
     int width  = s->avctx->width;
     int height = s->avctx->height;
 
+    if (buf_size < 4) {
+        return AVERROR_INVALIDDATA;
+    }
+
     s->profile = (buf[0] >> 1) & 7;
     if (s->profile > 1) {
         avpriv_request_sample(s->avctx, "Unknown profile %d", s->profile);
@@ -493,6 +497,10 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si
     buf      += 4 - s->profile;
     buf_size -= 4 - s->profile;
 
+    if (buf_size < part1_size) {
+        return AVERROR_INVALIDDATA;
+    }
+
     memcpy(s->put_pixels_tab, s->vp8dsp.put_vp8_epel_pixels_tab, sizeof(s->put_pixels_tab));
 
     ff_vp56_init_range_decoder(c, buf, part1_size);
-- 
cgit v1.2.3