From 35cb6854bb76b4a5b6f2aea2dce81e18d7ab61cd Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sun, 25 Sep 2011 00:08:51 +0200
Subject: [PATCH] Fix potential pointer arithmetic overflows in rle_unpack() of
 vmd video decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/vmdav.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c
index 98bd485c3e..6729af6af7 100644
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@@ -179,13 +179,13 @@ static int rle_unpack(const unsigned char *src, int src_len, int src_count,
         l = *ps++;
         if (l & 0x80) {
             l = (l & 0x7F) * 2;
-            if (pd + l > dest_end || ps_end - ps < l)
+            if (dest_end - pd < l || ps_end - ps < l)
                 return ps - src;
             memcpy(pd, ps, l);
             ps += l;
             pd += l;
         } else {
-            if (pd + i > dest_end || ps_end - ps < 2)
+            if (dest_end - pd < i || ps_end - ps < 2)
                 return ps - src;
             for (i = 0; i < l; i++) {
                 *pd++ = ps[0];