vmnc: check input size before reading chunk header, fix overread

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

vmnc: check input size before reading chunk header, fix overread
39c5cd60 · Michael Niedermayer · b6165882 · 39c5cd60
Commit 39c5cd60 authored 12 years ago by Michael Niedermayer
--- a/libavcodec/vmnc.c
+++ b/libavcodec/vmnc.c
@@ -332,6 +332,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
    src += 2;
    chunks = AV_RB16(src); src += 2;
    while(chunks--) {
+        if(buf_size - (src - buf) < 12) {
+            av_log(avctx, AV_LOG_ERROR, "Premature end of data!\n");
+            return -1;
+        }
        dx = AV_RB16(src); src += 2;
        dy = AV_RB16(src); src += 2;
        w  = AV_RB16(src); src += 2;