avcodec/g2meet: fix src pointer checks in kempf_decode_tile()
authorMichael Niedermayer <michaelni@gmx.at>
Wed, 7 Aug 2013 13:50:26 +0000 (15:50 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Wed, 7 Aug 2013 14:28:28 +0000 (16:28 +0200)
Fixes Ticket2842

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/g2meet.c

index 57c6fb8db6b4e48093aa08914c121235d9f29168..99d4d1ec37b266dce2bf68bc0a4169e346885d4d 100644 (file)
@@ -389,7 +389,7 @@ static int kempf_decode_tile(G2MContext *c, int tile_x, int tile_y,
         return 0;
     zsize = (src[0] << 8) | src[1]; src += 2;
 
-    if (src_end - src < zsize)
+    if (src_end - src < zsize + (sub_type != 2))
         return AVERROR_INVALIDDATA;
 
     ret = uncompress(c->kempf_buf, &dlen, src, zsize);
@@ -411,6 +411,8 @@ static int kempf_decode_tile(G2MContext *c, int tile_x, int tile_y,
     for (i = 0; i < (FFALIGN(height, 16) >> 4); i++) {
         for (j = 0; j < (FFALIGN(width, 16) >> 4); j++) {
             if (!bits) {
+                if (src >= src_end)
+                    return AVERROR_INVALIDDATA;
                 bitbuf = *src++;
                 bits   = 8;
             }