tm2: Check remaining size before init_get_bits()

Fixes a null pointer dereference. Fixes 2nd half of Ticket800 Bug found by: Oana Stratulat Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2011-12-20 16:53:56 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2011-12-20 16:53:56 +0100
commit: 65f0f9183b99881af58e90e3ae2ad8b0181d52f1 (patch)
tree: 03848d2f06e4ce14ef28b6474b64f8c648adc503
parent: 3c7f75bd84b4c30a0f86a491a37f759dfaaab86d (diff)
download: ffmpeg-65f0f9183b99881af58e90e3ae2ad8b0181d52f1.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index 1054a7e06b..95487d9436 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -286,6 +286,8 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
     buf += 4; cur += 4;
     buf += 4; cur += 4; /* unused by decoder */
 
+    if(skip < cur)
+        return -1;
     init_get_bits(&ctx->gb, buf, (skip - cur) * 8);
     if(tm2_build_huff_table(ctx, &codes) == -1)
         return -1;
author	Michael Niedermayer <michaelni@gmx.at>	2011-12-20 16:53:56 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2011-12-20 16:53:56 +0100
commit	65f0f9183b99881af58e90e3ae2ad8b0181d52f1 (patch)
tree	03848d2f06e4ce14ef28b6474b64f8c648adc503
parent	3c7f75bd84b4c30a0f86a491a37f759dfaaab86d (diff)
download	ffmpeg-65f0f9183b99881af58e90e3ae2ad8b0181d52f1.tar.gz