From 1a55810e878efefe3b8c128d57af3a66949872e0 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 11 Jul 2005 22:56:23 +0000
Subject: fix segfault (bug #1165640)

Originally committed as revision 4435 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/8bps.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'libavcodec/8bps.c')

diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c
index 3898ac5dd3..4d5a64e5d9 100644
--- a/libavcodec/8bps.c
+++ b/libavcodec/8bps.c
@@ -100,11 +100,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, uint8
 			dlen = be2me_16(*(unsigned short *)(lp+row*2));
 			/* Decode a row of this plane */
 			while(dlen > 0) {
+				if(dp + 1 >= buf+buf_size) return -1;
 				if ((count = *dp++) <= 127) {
 					count++;
 					dlen -= count + 1;
 					if (pixptr + count * px_inc > pixptr_end)
 					    break;
+					if(dp + count > buf+buf_size) return -1;
 					while(count--) {
 						*pixptr = *dp++;
 						pixptr += px_inc;
-- 
cgit v1.2.3