# HG changeset patch
# User fenrir
# Date 1267729844 0
# Node ID a4596f842e189881be5b9b9d00a7d412fa72d014
# Parent  1682a19a08811d63b1c81f5f79dfddbd16fef9be
Fixed buffer overread in flashsv decoder.

diff -r 1682a19a0881 -r a4596f842e18 flashsv.c
--- a/flashsv.c	Thu Mar 04 12:34:15 2010 +0000
+++ b/flashsv.c	Thu Mar 04 19:10:44 2010 +0000
@@ -113,6 +113,8 @@
     /* no supplementary picture */
     if (buf_size == 0)
         return 0;
+    if (buf_size < 4)
+        return -1;
 
     init_get_bits(&gb, buf, buf_size * 8);
 
@@ -181,6 +183,11 @@
 
             /* get the size of the compressed zlib chunk */
             int size = get_bits(&gb, 16);
+            if (8 * size > get_bits_left(&gb)) {
+                avctx->release_buffer(avctx, &s->frame);
+                s->frame.data[0] = NULL;
+                return -1;
+            }
 
             if (size == 0) {
                 /* no change, don't do anything */