From 0a2fbb0a8435e0d29bf5067cb13344e1d6e11939 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Tue, 13 Dec 2011 15:45:43 +0100
Subject: msrledec: Check for overreads

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 53be37e368928e7f274e33ef8d118109da373c79)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/msrledec.c | 6 +++++-
 tests/ref/fate/aasc   | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c
index db8de7032d..129f0e0bc0 100644
--- a/libavcodec/msrledec.c
+++ b/libavcodec/msrledec.c
@@ -140,7 +140,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
 
     output     = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
     output_end = pic->data[0] +  avctx->height      * pic->linesize[0];
-    while(src < data + srcsize) {
+    while(src + 1 < data + srcsize) {
         p1 = *src++;
         if(p1 == 0) { //Escape code
             p2 = *src++;
@@ -172,6 +172,10 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
                 src += p2 * (depth >> 3);
                 continue;
             }
+            if(data + srcsize - src < p2 * (depth >> 3)){
+                av_log(avctx, AV_LOG_ERROR, "Copy beyond input buffer\n");
+                return -1;
+            }
             if ((depth == 8) || (depth == 24)) {
                 for(i = 0; i < p2 * (depth >> 3); i++) {
                     *output++ = *src++;
diff --git a/tests/ref/fate/aasc b/tests/ref/fate/aasc
index 07b326983d..5da230f052 100644
--- a/tests/ref/fate/aasc
+++ b/tests/ref/fate/aasc
@@ -21,4 +21,4 @@
 0, 72000, 168000, 0x646fa087
 0, 75600, 168000, 0x404450a2
 0, 79200, 168000, 0x5214c456
-0, 82800, 168000, 0xe573025c
+0, 82800, 168000, 0xaef602d3
-- 
cgit v1.2.3