vmdav: Try to fix unpack_rle()

This fixes out of array accesses
The code prior to this commit could not have worked, thus obviously
was untested. I was also not able to find a valid sample that uses this
code.
This fix is thus only based on the description of the format

If someone has a sample that uses unpack_rle(), please mail me.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c1f2c4c3b49277d65b71ccdd3b6b2878f1b593eb)

Conflicts:

	libavcodec/vmdav.c

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 5 insertions, 3 deletions

diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c
index ca0916b729..9c24a01ba7 100644
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@@ -179,12 +179,14 @@ static int rle_unpack(const unsigned char *src, unsigned char *dest,
             bytestream2_get_buffer(&gb, pd, l);
             pd += l;
         } else {
+            int ps[2];
             if (dest_end - pd < 2*l || bytestream2_get_bytes_left(&gb) < 2)
                 return bytestream2_tell(&gb);
-
+            ps[0] = bytestream2_get_byteu(&gb);
+            ps[1] = bytestream2_get_byteu(&gb);
             for (j = 0; j < l; j++) {
-                *pd++ = bytestream2_get_byteu(&gb);
-                *pd++ = bytestream2_get_byteu(&gb);
+                *pd++ = ps[0];
+                *pd++ = ps[1];
             }
         }
         i += l;