From feab761b73c37311a23a6cbbcee1ddf56439d5a4 Mon Sep 17 00:00:00 2001
From: Paul B Mahol <onemda@gmail.com>
Date: Tue, 27 Jun 2017 15:46:08 +0200
Subject: avcodec/interplayvideo: properly check if there is enough bytes left

Signed-off-by: Paul B Mahol <onemda@gmail.com>
---
 libavcodec/interplayvideo.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'libavcodec/interplayvideo.c')

diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c
index 421de26cb1..2ac2f991a6 100644
--- a/libavcodec/interplayvideo.c
+++ b/libavcodec/interplayvideo.c
@@ -1233,6 +1233,10 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
             s->decoding_map_size = ((s->avctx->width / 8) * (s->avctx->height / 8)) * 2;
             s->decoding_map = buf + 8 + 14; /* 14 bits of op data */
             video_data_size -= s->decoding_map_size + 14;
+
+            if (buf_size < 8 + s->decoding_map_size + 14 + video_data_size)
+                return AVERROR_INVALIDDATA;
+
             bytestream2_init(&s->stream_ptr, buf + 8 + s->decoding_map_size + 14, video_data_size);
 
             break;
@@ -1253,6 +1257,9 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
                 return AVERROR_INVALIDDATA;
             }
 
+            if (buf_size < 8 + video_data_size + s->decoding_map_size + s->skip_map_size)
+                return AVERROR_INVALIDDATA;
+
             bytestream2_init(&s->stream_ptr, buf + 8, video_data_size);
             s->decoding_map = buf + 8 + video_data_size;
             s->skip_map = buf + 8 + video_data_size + s->decoding_map_size;
@@ -1270,6 +1277,9 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
                 return AVERROR_INVALIDDATA;
             }
 
+            if (buf_size < 8 + video_data_size + s->decoding_map_size)
+                return AVERROR_INVALIDDATA;
+
             bytestream2_init(&s->stream_ptr, buf + 8, video_data_size);
             s->decoding_map = buf + 8 + video_data_size;
 
-- 
cgit v1.2.3