vmdav: Try to fix unpack_rle()

This fixes out of array accesses
The code prior to this commit could not have worked, thus obviously
was untested. I was also not able to find a valid sample that uses this
code.
This fix is thus only based on the description of the format

If someone has a sample that uses unpack_rle(), please mail me.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c1f2c4c3b49277d65b71ccdd3b6b2878f1b593eb)

Conflicts:

	libavcodec/vmdav.c

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 3 insertions, 3 deletions

diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c
index d7f136c8a1..79a33b867f 100644
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@@ -162,7 +162,7 @@ static int rle_unpack(const unsigned char *src, int src_len, int src_count,
     const unsigned char *ps;
     const unsigned char *ps_end;
     unsigned char *pd;
-    int i, l;
+    int i, j, l;
     unsigned char *dest_end = dest + dest_len;
 
     ps = src;
@@ -188,9 +188,9 @@ static int rle_unpack(const unsigned char *src, int src_len, int src_count,
             ps += l;
             pd += l;
         } else {
-            if (dest_end - pd < i || ps_end - ps < 2)
+            if (dest_end - pd < 2*l || ps_end - ps < 2)
                 return ps - src;
-            for (i = 0; i < l; i++) {
+            for (j = 0; j < l; j++) {
                 *pd++ = ps[0];
                 *pd++ = ps[1];
             }