From b88f902125ee808c8366e9dcb3f21e4c227483fc Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Thu, 28 Mar 2013 10:09:36 +0100
Subject: bmv: check for len being valid in bmv_decode_frame().

It can be 0 or -1 for invalid files, which may result in invalid memory
access.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavcodec/bmv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libavcodec')

diff --git a/libavcodec/bmv.c b/libavcodec/bmv.c
index b6b685b556..941051ba7f 100644
--- a/libavcodec/bmv.c
+++ b/libavcodec/bmv.c
@@ -135,7 +135,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame,
         mode += 1 + advance_mode;
         if (mode >= 4)
             mode -= 3;
-        if (FFABS(dst_end - dst) < len)
+        if (len <= 0 || FFABS(dst_end - dst) < len)
             return AVERROR_INVALIDDATA;
         switch (mode) {
         case 1:
-- 
cgit v1.2.3