avcodec/g2meet: fix src pointer checks in kempf_decode_tile()

Fixes Ticket2842 Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-08-07 17:50:26 +0400
committer: Michael Niedermayer <michaelni@gmx.at> 2013-08-07 18:28:28 +0400
commit: 2960576378d17d71cc8dccc926352ce568b5eec1 (patch)
tree: 4cab373dad8d9f6549a1f51516409c01edcb3913 /libavcodec/g2meet.c
parent: 5cd57e8758e336e86698d4994ee088077869e42d (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c
index 57c6fb8db6..99d4d1ec37 100644
--- a/libavcodec/g2meet.c
+++ b/libavcodec/g2meet.c
@@ -389,7 +389,7 @@ static int kempf_decode_tile(G2MContext *c, int tile_x, int tile_y,
         return 0;
     zsize = (src[0] << 8) | src[1]; src += 2;
 
-    if (src_end - src < zsize)
+    if (src_end - src < zsize + (sub_type != 2))
         return AVERROR_INVALIDDATA;
 
     ret = uncompress(c->kempf_buf, &dlen, src, zsize);
@@ -411,6 +411,8 @@ static int kempf_decode_tile(G2MContext *c, int tile_x, int tile_y,
     for (i = 0; i < (FFALIGN(height, 16) >> 4); i++) {
         for (j = 0; j < (FFALIGN(width, 16) >> 4); j++) {
             if (!bits) {
+                if (src >= src_end)
+                    return AVERROR_INVALIDDATA;
                 bitbuf = *src++;
                 bits   = 8;
             }
author	Michael Niedermayer <michaelni@gmx.at>	2013-08-07 17:50:26 +0400
committer	Michael Niedermayer <michaelni@gmx.at>	2013-08-07 18:28:28 +0400
commit	2960576378d17d71cc8dccc926352ce568b5eec1 (patch)
tree	4cab373dad8d9f6549a1f51516409c01edcb3913 /libavcodec/g2meet.c
parent	5cd57e8758e336e86698d4994ee088077869e42d (diff)