avcodec/interplayvideo: properly check if there is enough bytes left

Signed-off-by: Paul B Mahol <onemda@gmail.com>

diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c
index 421de26cb106b9891a86d6d5eb71d961a541e138..2ac2f991a6f7130015a49432cfbf3a7256f167fc 100644 (file)
--- a/libavcodec/interplayvideo.c
+++ b/libavcodec/interplayvideo.c
@@ -1233,6 +1233,10 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
             s->decoding_map_size = ((s->avctx->width / 8) * (s->avctx->height / 8)) * 2;
             s->decoding_map = buf + 8 + 14; /* 14 bits of op data */
             video_data_size -= s->decoding_map_size + 14;
+
+            if (buf_size < 8 + s->decoding_map_size + 14 + video_data_size)
+                return AVERROR_INVALIDDATA;
+
             bytestream2_init(&s->stream_ptr, buf + 8 + s->decoding_map_size + 14, video_data_size);
 
             break;
@@ -1253,6 +1257,9 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
                 return AVERROR_INVALIDDATA;
             }
 
+            if (buf_size < 8 + video_data_size + s->decoding_map_size + s->skip_map_size)
+                return AVERROR_INVALIDDATA;
+
             bytestream2_init(&s->stream_ptr, buf + 8, video_data_size);
             s->decoding_map = buf + 8 + video_data_size;
             s->skip_map = buf + 8 + video_data_size + s->decoding_map_size;
@@ -1270,6 +1277,9 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
                 return AVERROR_INVALIDDATA;
             }
 
+            if (buf_size < 8 + video_data_size + s->decoding_map_size)
+                return AVERROR_INVALIDDATA;
+
             bytestream2_init(&s->stream_ptr, buf + 8, video_data_size);
             s->decoding_map = buf + 8 + video_data_size;