From 59d7bb99b6a963b7e11c637228b2203adf535eee Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Mon, 10 Jun 2013 16:37:43 +0200
Subject: 4xm: check bitstream_size boundary before using it

Prevent buffer overread.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavcodec/4xm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'libavcodec/4xm.c')

diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 5814c3afd4..a4e6965fe0 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -739,6 +739,9 @@ static int decode_i_frame(FourXContext *f, AVFrame *frame, const uint8_t *buf, i
     unsigned int prestream_size;
     const uint8_t *prestream;
 
+    if (bitstream_size > (1 << 26))
+        return AVERROR_INVALIDDATA;
+
     if (length < bitstream_size + 12) {
         av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
         return AVERROR_INVALIDDATA;
@@ -749,7 +752,6 @@ static int decode_i_frame(FourXContext *f, AVFrame *frame, const uint8_t *buf, i
     prestream      =             buf + bitstream_size + 12;
 
     if (prestream_size + bitstream_size + 12 != length
-        || bitstream_size > (1 << 26)
         || prestream_size > (1 << 26)) {
         av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n",
                prestream_size, bitstream_size, length);
-- 
cgit v1.2.3