truemotion2dec: Fix overread of input.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-03-24 17:42:14 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-03-24 17:42:14 +0100
commit: 9879b506b0843bffdd7fe2b25ac8b0cd1cf043a6 (patch)
tree: eb32c8297a911cf7bd2e4c12dd23e4fef4ffe8de
parent: 71e78e1f513ec7356b1a5011bbfc71fcd2fd391b (diff)
download: ffmpeg-9879b506b0843bffdd7fe2b25ac8b0cd1cf043a6.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index 1ccac321ac..e29845c088 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -256,6 +256,11 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
     int len, toks;
     TM2Codes codes;
 
+    if (buf_size < 4) {
+        av_log(ctx->avctx, AV_LOG_ERROR, "not enough space for len left\n");
+        return -1;
+    }
+
     /* get stream length in dwords */
     len = AV_RB32(buf); buf += 4; cur += 4;
     skip = len * 4 + 4;
@@ -795,7 +800,7 @@ static int decode_frame(AVCodecContext *avctx,
     }
 
     for(i = 0; i < TM2_NUM_STREAMS; i++){
-        t = tm2_read_stream(l, l->buffer + skip, tm2_stream_order[i], buf_size);
+        t = tm2_read_stream(l, l->buffer + skip, tm2_stream_order[i], buf_size - skip);
         if(t == -1){
             return -1;
         }
author	Michael Niedermayer <michaelni@gmx.at>	2012-03-24 17:42:14 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-03-24 17:42:14 +0100
commit	9879b506b0843bffdd7fe2b25ac8b0cd1cf043a6 (patch)
tree	eb32c8297a911cf7bd2e4c12dd23e4fef4ffe8de
parent	71e78e1f513ec7356b1a5011bbfc71fcd2fd391b (diff)
download	ffmpeg-9879b506b0843bffdd7fe2b25ac8b0cd1cf043a6.tar.gz