From bd70a527129a1c049a8ab38236bf87f7d459df10 Mon Sep 17 00:00:00 2001
From: Paul B Mahol <onemda@gmail.com>
Date: Mon, 13 Aug 2012 12:26:38 +0000
Subject: paf: prevent invalid write

Closes #1631.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
---
 libavcodec/paf.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavcodec/paf.c b/libavcodec/paf.c
index 8b3c46f66b..1c3e8b8fcd 100644
--- a/libavcodec/paf.c
+++ b/libavcodec/paf.c
@@ -164,14 +164,16 @@ static int decode_0(AVCodecContext *avctx, uint8_t code, uint8_t *pkt)
         } while (--i);
     }
 
-    dst = c->frame[c->current_frame];
+    dst  = c->frame[c->current_frame];
+    dend = c->frame[c->current_frame] + c->frame_size;
     do {
         a    = bytestream2_get_byte(&c->gb);
         b    = bytestream2_get_byte(&c->gb);
         p    = (a & 0xC0) >> 6;
         src  = c->frame[p] + get_video_page_offset(avctx, a, b);
         send = c->frame[p] + c->frame_size;
-        if (src + 3 * avctx->width + 4 > send)
+        if ((src + 3 * avctx->width + 4 > send) ||
+            (dst + 3 * avctx->width + 4 > dend))
             return AVERROR_INVALIDDATA;
         copy_block4(dst, src, avctx->width, avctx->width, 4);
         i++;
-- 
cgit v1.2.3