From 62b1e3b1031e901105d78e831120de8e4c3e0013 Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Sun, 7 Jul 2013 12:31:19 +0200
Subject: aasc: Check minimum buffer size

Prevent some overreads.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavcodec/aasc.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'libavcodec/aasc.c')

diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c
index bce27c0e10..60a4be817b 100644
--- a/libavcodec/aasc.c
+++ b/libavcodec/aasc.c
@@ -62,6 +62,9 @@ static int aasc_decode_frame(AVCodecContext *avctx,
     AascContext *s     = avctx->priv_data;
     int compr, i, stride, ret;
 
+    if (buf_size < 4)
+        return AVERROR_INVALIDDATA;
+
     if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
         return ret;
@@ -73,6 +76,8 @@ static int aasc_decode_frame(AVCodecContext *avctx,
     switch (compr) {
     case 0:
         stride = (avctx->width * 3 + 3) & ~3;
+        if (buf_size < stride * avctx->height)
+            return AVERROR_INVALIDDATA;
         for (i = avctx->height - 1; i >= 0; i--) {
             memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * 3);
             buf += stride;
-- 
cgit v1.2.3