From cc24665f4479af6eb49c05033bf2d6fbae8c1f83 Mon Sep 17 00:00:00 2001
From: Paul B Mahol <onemda@gmail.com>
Date: Fri, 7 Sep 2018 15:09:40 +0200
Subject: [PATCH] avcodec/scpr: make sure count and min are valid

---
 libavcodec/scpr.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c
index ee6bf21b71e..f1584355c03 100644
--- a/libavcodec/scpr.c
+++ b/libavcodec/scpr.c
@@ -529,7 +529,7 @@ static int decompress_p(AVCodecContext *avctx,
         return ret;
 
     max += temp << 8;
-    if (min > max)
+    if (min > max || min >= s->nbcount)
         return AVERROR_INVALIDDATA;
 
     memset(s->blocks, 0, sizeof(*s->blocks) * s->nbcount);
@@ -541,6 +541,8 @@ static int decompress_p(AVCodecContext *avctx,
         ret |= decode_value(s, s->count_model, 256, 20, &count);
         if (ret < 0)
             return ret;
+        if (count <= 0)
+            return AVERROR_INVALIDDATA;
 
         while (min < s->nbcount && count-- > 0) {
             s->blocks[min++] = fill;
-- 
GitLab