[FFmpeg-cvslog] vmdav: Try to fix unpack_rle()

[Michael Niedermayer]

ffmpeg | branch: release/1.1 | Michael Niedermayer <michaelni at gmx.at> | Wed May  1 23:46:38 2013 +0200| [2fae70db2ac2ffaf7968637fe4f111a24e7e4351] | committer: Michael Niedermayer

vmdav: Try to fix unpack_rle()

This fixes out of array accesses
The code prior to this commit could not have worked, thus obviously
was untested. I was also not able to find a valid sample that uses this
code.
This fix is thus only based on the description of the format

If someone has a sample that uses unpack_rle(), please mail me.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit c1f2c4c3b49277d65b71ccdd3b6b2878f1b593eb)

Conflicts:

	libavcodec/vmdav.c

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2fae70db2ac2ffaf7968637fe4f111a24e7e4351
---

 libavcodec/vmdav.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c
index ca0916b..9c24a01 100644
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@@ -179,12 +179,14 @@ static int rle_unpack(const unsigned char *src, unsigned char *dest,
             bytestream2_get_buffer(&gb, pd, l);
             pd += l;
         } else {
+            int ps[2];
             if (dest_end - pd < 2*l || bytestream2_get_bytes_left(&gb) < 2)
                 return bytestream2_tell(&gb);
-
+            ps[0] = bytestream2_get_byteu(&gb);
+            ps[1] = bytestream2_get_byteu(&gb);
             for (j = 0; j < l; j++) {
-                *pd++ = bytestream2_get_byteu(&gb);
-                *pd++ = bytestream2_get_byteu(&gb);
+                *pd++ = ps[0];
+                *pd++ = ps[1];
             }
         }
         i += l;