From 65f0f9183b99881af58e90e3ae2ad8b0181d52f1 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Tue, 20 Dec 2011 16:53:56 +0100
Subject: [PATCH] tm2: Check remaining size before init_get_bits() Fixes a null
 pointer dereference. Fixes 2nd half of Ticket800 Bug found by: Oana Stratulat

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/truemotion2.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index 1054a7e06b0..95487d94361 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -286,6 +286,8 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
     buf += 4; cur += 4;
     buf += 4; cur += 4; /* unused by decoder */
 
+    if(skip < cur)
+        return -1;
     init_get_bits(&ctx->gb, buf, (skip - cur) * 8);
     if(tm2_build_huff_table(ctx, &codes) == -1)
         return -1;
-- 
GitLab