dirac_parser: check prev_pu_offset before using it

Fixes out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-12-15 16:03:19 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-12-15 16:04:49 +0100
commit: 2b643855e0244b448fdc37f8dfa2fc4033643037 (patch)
tree: 3337a7d6ef2c1fc1427d20eb64925d463623474d /libavcodec
parent: fef75ef200975863524bd79fa498b789521f5e33 (diff)
download: ffmpeg-2b643855e0244b448fdc37f8dfa2fc4033643037.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c
index a7c7c328ad..a2a22ee5b2 100644
--- a/libavcodec/dirac_parser.c
+++ b/libavcodec/dirac_parser.c
@@ -161,7 +161,9 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx,
          * we can be pretty sure that we have a valid parse unit */
         if (!unpack_parse_unit(&pu1, pc, pc->index - 13)                     ||
             !unpack_parse_unit(&pu, pc, pc->index - 13 - pu1.prev_pu_offset) ||
-            pu.next_pu_offset != pu1.prev_pu_offset) {
+            pu.next_pu_offset != pu1.prev_pu_offset                          ||
+            pc->index < pc->dirac_unit_size + 13LL + pu1.prev_pu_offset
+        ) {
             pc->index -= 9;
             *buf_size = next-9;
             pc->header_bytes_needed = 9;
author	Michael Niedermayer <michaelni@gmx.at>	2012-12-15 16:03:19 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-12-15 16:04:49 +0100
commit	2b643855e0244b448fdc37f8dfa2fc4033643037 (patch)
tree	3337a7d6ef2c1fc1427d20eb64925d463623474d /libavcodec
parent	fef75ef200975863524bd79fa498b789521f5e33 (diff)
download	ffmpeg-2b643855e0244b448fdc37f8dfa2fc4033643037.tar.gz