# HG changeset patch
# User reimar
# Date 1243763986 0
# Node ID 8ebcc162db3d6b018dbd7e29ecf7ebd66e26fa3d
# Parent  8e4d442554b3bbc0624b7ae143ecdff4b77b77a3
Add sanity check for mthread_inlen, avoids crashes due to invalid reads.

diff -r 8e4d442554b3 -r 8ebcc162db3d lcldec.c
--- a/lcldec.c	Sun May 31 09:57:42 2009 +0000
+++ b/lcldec.c	Sun May 31 09:59:46 2009 +0000
@@ -190,6 +190,7 @@
         case COMP_MSZH:
             if (c->flags & FLAG_MULTITHREAD) {
                 mthread_inlen = *(unsigned int*)encoded;
+                mthread_inlen = FFMIN(mthread_inlen, len - 8);
                 mthread_outlen = *(unsigned int*)(encoded+4);
                 mthread_outlen = FFMIN(mthread_outlen, c->decomp_size);
                 mszh_dlen = mszh_decomp(encoded + 8, mthread_inlen, c->decomp_buf, c->decomp_size);
@@ -236,6 +237,7 @@
         if (c->flags & FLAG_MULTITHREAD) {
             int ret;
             mthread_inlen = *(unsigned int*)encoded;
+            mthread_inlen = FFMIN(mthread_inlen, len - 8);
             mthread_outlen = *(unsigned int*)(encoded+4);
             mthread_outlen = FFMIN(mthread_outlen, c->decomp_size);
             ret = zlib_decomp(avctx, encoded + 8, mthread_inlen, 0, mthread_outlen);