From c7e551d37d62140ff1d1e2ffc9106c863454cd8c Mon Sep 17 00:00:00 2001
From: Shitiz Garg <mail@dragooon.net>
Date: Wed, 14 Dec 2011 18:29:21 +0530
Subject: [PATCH] 4xm: added a check to keep in buffer's limit

decode_frame may attempt to read from outside the buffer's limit
Fixes bugzilla #135
---
 libavcodec/4xm.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 21bde52..bc2ef58 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -660,9 +660,15 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
     uint16_t *dst= (uint16_t*)f->current_picture.data[0];
     const int stride= f->current_picture.linesize[0]>>1;
     const unsigned int bitstream_size= AV_RL32(buf);
+
+    if (length < bitstream_size + 12) {
+        av_log(f->avctx, AV_LOG_ERROR, "attempting to read from outside the buffer\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     const int token_count av_unused = AV_RL32(buf + bitstream_size + 8);
-    unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4);
-    const uint8_t *prestream= buf + bitstream_size + 12;
+    unsigned int prestream_size = 4*AV_RL32(buf + bitstream_size + 4);
+    const uint8_t *prestream = buf + bitstream_size + 12;
 
     if(prestream_size + bitstream_size + 12 != length
        || bitstream_size > (1<<26)
-- 
1.7.5.4