From 71a3c59ed73f2cad401d192278d1fcab9a129606 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 15 Apr 2012 13:29:50 +0200
Subject: eatgv: check vector_bits

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>
---
 libavcodec/eatgv.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'libavcodec/eatgv.c')

diff --git a/libavcodec/eatgv.c b/libavcodec/eatgv.c
index 9484ff1d0d..60058b29e9 100644
--- a/libavcodec/eatgv.c
+++ b/libavcodec/eatgv.c
@@ -154,6 +154,12 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b
     vector_bits       = AV_RL16(&buf[6]);
     buf += 12;
 
+    if (vector_bits > MIN_CACHE_BITS || !vector_bits) {
+        av_log(s->avctx, AV_LOG_ERROR,
+               "Invalid value for motion vector bits: %d\n", vector_bits);
+        return AVERROR_INVALIDDATA;
+    }
+
     /* allocate codebook buffers as necessary */
     if (num_mvs > s->num_mvs) {
         s->mv_codebook = av_realloc(s->mv_codebook, num_mvs*2*sizeof(int));
-- 
cgit v1.2.3