From 1007a805a486a1348a0543ac2dd99d823148d25c Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 5 Mar 2012 03:43:15 +0100
Subject: smc: Fix overread.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/smc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libavcodec/smc.c')

diff --git a/libavcodec/smc.c b/libavcodec/smc.c
index 9ae19ffb45..a4fc861f62 100644
--- a/libavcodec/smc.c
+++ b/libavcodec/smc.c
@@ -313,7 +313,7 @@ static void smc_decode_stream(SmcContext *s)
             } else
                 color_table_index = CQUAD * s->buf[stream_ptr++];
 
-            while (n_blocks--) {
+            while (n_blocks-- && stream_ptr + 3 < s->size) {
                 color_flags = AV_RB32(&s->buf[stream_ptr]);
                 stream_ptr += 4;
                 /* flag mask actually acts as a bit shift count here */
-- 
cgit v1.2.3