From abe68364a3219f1a98c46bddea575e4cada147c7 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 12 Nov 2012 19:29:08 +0100
Subject: swfdec: check space before copy

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavformat/swfdec.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'libavformat/swfdec.c')

diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c
index b8c2e930c3..193df25e2f 100644
--- a/libavformat/swfdec.c
+++ b/libavformat/swfdec.c
@@ -362,6 +362,11 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
             default:
                 av_assert0(0);
             }
+
+            if (linesize * height > pkt->size) {
+                res = AVERROR_INVALIDDATA;
+                goto bitmap_end;
+            }
             memcpy(pkt->data, buf + colormapsize*colormapbpp, linesize * height);
 
             res = pkt->size;
-- 
cgit v1.2.3