indeo3dec: Fix end pointer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

indeo3dec: Fix end pointer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
8a521d57 · Michael Niedermayer · 7e496e15 · 8a521d57
Commit 8a521d57 authored Mar 26, 2012 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 3 deletions

indeo3.c libavcodec/indeo3.c +4 -3

No files found.
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -840,13 +840,13 @@ static int decode_plane(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
    /* each plane data starts with mc_vector_count field, */
    /* an optional array of motion vectors followed by the vq data */
-    num_vectors = bytestream_get_le32(&data);
+    num_vectors = bytestream_get_le32(&data); data_size -= 4;
    if (num_vectors > 256) {
        av_log(ctx->avctx, AV_LOG_ERROR,
               "Read invalid number of motion vectors %d\n", num_vectors);
        return AVERROR_INVALIDDATA;
    }
-    if (num_vectors * 2 >= data_size)
+    if (num_vectors * 2 > data_size)
        return AVERROR_INVALIDDATA;
    ctx->num_vectors = num_vectors;
@@ -857,7 +857,7 @@ static int decode_plane(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
    ctx->skip_bits   = 0;
    ctx->need_resync = 0;
-    ctx->last_byte = data + data_size - 1;
+    ctx->last_byte = data + data_size;
    /* initialize the 1st cell and set its dimensions to whole plane */
    curr_cell.xpos   = curr_cell.ypos = 0;
@@ -894,6 +894,7 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
    /* parse the bitstream header */
    bs_hdr = buf_ptr;
+    buf_size -= 16;
    if (bytestream_get_le16(&buf_ptr) != 32) {
        av_log(avctx, AV_LOG_ERROR, "Unsupported codec version!\n");