X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fbrenderpix.c;h=46b7a59aa49562d168d285395d8fe8240f6ba10f;hb=dc8e15ef15d060a9ca118905c770710ce43a0723;hp=0556858de17f6fc8588c390ae5939e21c99c64ec;hpb=44085b9951b06df1cab4105dcda004213988d84f;p=ffmpeg

diff --git a/libavcodec/brenderpix.c b/libavcodec/brenderpix.c
index 0556858de17..46b7a59aa49 100644
--- a/libavcodec/brenderpix.c
+++ b/libavcodec/brenderpix.c
@@ -204,6 +204,10 @@ static int pix_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
         avpriv_request_sample(avctx, "Format %d", hdr.format);
         return AVERROR_PATCHWELCOME;
     }
+    bytes_per_scanline = bytes_pp * hdr.width;
+
+    if (bytestream2_get_bytes_left(&gb) < hdr.height * bytes_per_scanline)
+        return AVERROR_INVALIDDATA;
 
     if ((ret = ff_set_dimensions(avctx, hdr.width, hdr.height)) < 0)
         return ret;
@@ -261,7 +265,6 @@ static int pix_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     bytestream2_skip(&gb, 8);
 
     // read the image data to the buffer
-    bytes_per_scanline = bytes_pp * hdr.width;
     bytes_left = bytestream2_get_bytes_left(&gb);
 
     if (chunk_type != IMAGE_DATA_CHUNK || data_len != bytes_left ||