From 7ba0cedbfeff5671b264d1d7e90777057b5714c6 Mon Sep 17 00:00:00 2001
From: Martin Storsjö <martin@martin.st>
Date: Sun, 29 Sep 2013 01:24:20 +0300
Subject: rpza: Fix a buffer size check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We read 2 bytes for 15 out of 16 pixels, therefore we need to
have at least 30 bytes, not 16.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
---
 libavcodec/rpza.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libavcodec/rpza.c')

diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
index 45350a85d8..ca9f7ea336 100644
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -204,7 +204,7 @@ static void rpza_decode_stream(RpzaContext *s)
 
         /* Fill block with 16 colors */
         case 0x00:
-            if (s->size - stream_ptr < 16)
+            if (s->size - stream_ptr < 30)
                 return;
             block_ptr = row_ptr + pixel_ptr;
             for (pixel_y = 0; pixel_y < 4; pixel_y++) {
-- 
cgit v1.2.3