From 4299dfa5ded84111231a456ad102f65f6f62649e Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 3 Mar 2012 03:37:52 +0100
Subject: [PATCH] qpeg: Fix out of array writes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/qpeg.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c
index ca48b6bcf3..f2dba732bc 100644
--- a/libavcodec/qpeg.c
+++ b/libavcodec/qpeg.c
@@ -203,6 +203,8 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
                     filled = 0;
                     dst -= stride;
                     height--;
+                    if(height < 0)
+                        break;
                 }
             }
         } else if(code >= 0xC0) { /* copy code: 0xC0..0xDF */
@@ -214,6 +216,8 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
                     filled = 0;
                     dst -= stride;
                     height--;
+                    if(height < 0)
+                        break;
                 }
             }
             size -= code + 1;