# HG changeset patch
# User michael
# Date 1121125187 0
# Node ID 587ed6630b5d8dc2ab7e17fe829cb8979a32fd11
# Parent  1bf080e490db1d5be2b090737b3d2f52b691c4ba
check len (should fix #1165694)

diff -r 1bf080e490db -r 587ed6630b5d mjpeg.c
--- a/mjpeg.c	Mon Jul 11 22:56:23 2005 +0000
+++ b/mjpeg.c	Mon Jul 11 23:39:47 2005 +0000
@@ -1585,10 +1585,11 @@
 {
     int len, id;
 
-    /* XXX: verify len field validity */
     len = get_bits(&s->gb, 16);
     if (len < 5)
 	return -1;
+    if(8*len + get_bits_count(&s->gb) > s->gb.size_in_bits)
+        return -1;
 
     id = (get_bits(&s->gb, 16) << 16) | get_bits(&s->gb, 16);
     id = be2me_32(id);