avformat/paf: Fix integer overflow and out of array read

Found-by:  Laurent Butti <laurentb@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

diff --git a/libavformat/paf.c b/libavformat/paf.c
index 09786eb34f1aa37e151130f5cd4b183abb9af00f..09aefe6770b53cedd9b347809b69cd3dd2d18d05 100644 (file)
--- a/libavformat/paf.c
+++ b/libavformat/paf.c
@@ -233,10 +233,11 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
         p->current_frame_block++;
     }
 
-    size = p->video_size - p->frames_offset_table[p->current_frame];
-    if (size < 1)
+    if (p->frames_offset_table[p->current_frame] >= p->video_size)
         return AVERROR_INVALIDDATA;
 
+    size = p->video_size - p->frames_offset_table[p->current_frame];
+
     if (av_new_packet(pkt, size) < 0)
         return AVERROR(ENOMEM);