From 68a4d3498f28eff3508595283074e1ed8493879d Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@via.ecp.fr>
Date: Thu, 28 Jan 2010 23:49:46 +0000
Subject: vp56: check buffer size to fix a potential segfault patch by Laurent
 Aimar  fenrir _at_ videolan _dot_ org

Originally committed as revision 21521 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/vp56.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'libavcodec/vp56.c')

diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
index cbac71bc93..36027b43f1 100644
--- a/libavcodec/vp56.c
+++ b/libavcodec/vp56.c
@@ -504,8 +504,12 @@ int vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
     int is_alpha, av_uninit(alpha_offset);
 
     if (s->has_alpha) {
+        if (remaining_buf_size < 3)
+            return -1;
         alpha_offset = bytestream_get_be24(&buf);
         remaining_buf_size -= 3;
+        if (remaining_buf_size < alpha_offset)
+            return -1;
     }
 
     for (is_alpha=0; is_alpha < 1+s->has_alpha; is_alpha++) {
-- 
cgit v1.2.3