[FFmpeg-cvslog] dsicinav: Bound-check the source buffer when needed

[Luca Barbato]

ffmpeg | branch: master | Luca Barbato <lu_zero at gentoo.org> | Fri Jul 19 21:09:40 2013 +0200| [dd0bfc3a6a310e3e3674ce7742672d689a9a0e93] | committer: Luca Barbato

dsicinav: Bound-check the source buffer when needed

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dd0bfc3a6a310e3e3674ce7742672d689a9a0e93
---

 libavcodec/dsicinav.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c
index 7b36742..afcb8ef 100644
--- a/libavcodec/dsicinav.c
+++ b/libavcodec/dsicinav.c
@@ -195,11 +195,13 @@ static void cin_decode_rle(const unsigned char *src, int src_size,
     while (src < src_end && dst < dst_end) {
         code = *src++;
         if (code & 0x80) {
+            if (src >= src_end)
+                break;
             len = code - 0x7F;
             memset(dst, *src++, FFMIN(len, dst_end - dst));
         } else {
             len = code + 1;
-            memcpy(dst, src, FFMIN(len, dst_end - dst));
+            memcpy(dst, src, FFMIN3(len, dst_end - dst, src_end - src));
             src += len;
         }
         dst += len;