From 7f8059bdfe9cdc00ccd8f8aa3bb0b4a32b6fb5bc Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 28 May 2012 17:04:38 +0200
Subject: xan: fix out of array read

Fixes ticket1360

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 01900fcc45e99ee4556e0a5d87ff57b2f150dad4)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/xan.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'libavcodec')

diff --git a/libavcodec/xan.c b/libavcodec/xan.c
index 155dee9595..b39290aedf 100644
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -517,6 +517,10 @@ static int xan_decode_frame(AVCodecContext *avctx,
             int i;
             tag  = bytestream_get_le32(&buf);
             size = bytestream_get_be32(&buf);
+            if(size < 0) {
+                av_log(avctx, AV_LOG_ERROR, "Invalid tag size %d\n", size);
+                return AVERROR_INVALIDDATA;
+            }
             size = FFMIN(size, buf_end - buf);
             switch (tag) {
             case PALT_TAG:
-- 
cgit v1.2.3