From 0a82f5275f719e6e369a807720a2c3603aa0ddd9 Mon Sep 17 00:00:00 2001
From: "Ronald S. Bultje" <rsbultje@gmail.com>
Date: Tue, 27 Mar 2012 12:26:46 -0700
Subject: lagarith: fix buffer overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavcodec/lagarithrac.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'libavcodec/lagarithrac.c')

diff --git a/libavcodec/lagarithrac.c b/libavcodec/lagarithrac.c
index 33dc6e4bd4..edfb18fb74 100644
--- a/libavcodec/lagarithrac.c
+++ b/libavcodec/lagarithrac.c
@@ -32,15 +32,16 @@
 
 void ff_lag_rac_init(lag_rac *l, GetBitContext *gb, int length)
 {
-    int i, j;
+    int i, j, left;
 
     /* According to reference decoder "1st byte is garbage",
      * however, it gets skipped by the call to align_get_bits()
      */
     align_get_bits(gb);
+    left                = get_bits_left(gb) >> 3;
     l->bytestream_start =
     l->bytestream       = gb->buffer + get_bits_count(gb) / 8;
-    l->bytestream_end   = l->bytestream_start + length;
+    l->bytestream_end   = l->bytestream_start + FFMIN(length, left);
 
     l->range        = 0x80;
     l->low          = *l->bytestream >> 1;
-- 
cgit v1.2.3