X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fmsrledec.c;h=129f0e0bc0133ca041c32cd94b82b9e0f0db3ef9;hb=ca1bae3983c6592efe4635e7e35a1f85833674b8;hp=97510830d52ebfba03b17a88d3baebd661c8dc3e;hpb=4dcd1a3145dd93602b86a44ebc07d98ca2a30ab6;p=ffmpeg

diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c
index 97510830d52..129f0e0bc01 100644
--- a/libavcodec/msrledec.c
+++ b/libavcodec/msrledec.c
@@ -138,9 +138,9 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
     uint32_t av_uninit(pix32);
     unsigned int width= FFABS(pic->linesize[0]) / (depth >> 3);
 
-    output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
-    output_end = pic->data[0] + (avctx->height) * pic->linesize[0];
-    while(src < data + srcsize) {
+    output     = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
+    output_end = pic->data[0] +  avctx->height      * pic->linesize[0];
+    while(src + 1 < data + srcsize) {
         p1 = *src++;
         if(p1 == 0) { //Escape code
             p2 = *src++;
@@ -172,6 +172,10 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
                 src += p2 * (depth >> 3);
                 continue;
             }
+            if(data + srcsize - src < p2 * (depth >> 3)){
+                av_log(avctx, AV_LOG_ERROR, "Copy beyond input buffer\n");
+                return -1;
+            }
             if ((depth == 8) || (depth == 24)) {
                 for(i = 0; i < p2 * (depth >> 3); i++) {
                     *output++ = *src++;