From 65cd45a88c4a657b4ae0c81b753bb0d065a4e25a Mon Sep 17 00:00:00 2001
From: Daniel Kang <daniel.d.kang@gmail.com>
Date: Thu, 6 Jan 2011 23:14:27 +0000
Subject: [PATCH] Prevent a crash by sanity checking buffer reads.

Patch by Daniel Kang, daniel.d.kang at gmail

Originally committed as revision 26251 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/bfi.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/libavcodec/bfi.c b/libavcodec/bfi.c
index 91c8f6d24d..ca72c1fd46 100644
--- a/libavcodec/bfi.c
+++ b/libavcodec/bfi.c
@@ -47,7 +47,7 @@ static av_cold int bfi_decode_init(AVCodecContext * avctx)
 static int bfi_decode_frame(AVCodecContext * avctx, void *data,
                             int *data_size, AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data;
+    const uint8_t *buf = avpkt->data, *buf_end = avpkt->data + avpkt->size;
     int buf_size = avpkt->size;
     BFIContext *bfi = avctx->priv_data;
     uint8_t *dst = bfi->dst;
@@ -99,6 +99,11 @@ static int bfi_decode_frame(AVCodecContext * avctx, void *data,
         unsigned int code = byte >> 6;
         unsigned int length = byte & ~0xC0;
 
+        if (buf >= buf_end) {
+            av_log(avctx, AV_LOG_ERROR, "Input resolution larger than actual frame.\n");
+            return -1;
+        }
+
         /* Get length and offset(if required) */
         if (length == 0) {
             if (code == 1) {
@@ -121,6 +126,10 @@ static int bfi_decode_frame(AVCodecContext * avctx, void *data,
         switch (code) {
 
         case 0:                //Normal Chain
+            if (length >= buf_end - buf) {
+                av_log(avctx, AV_LOG_ERROR, "Frame larger than buffer.\n");
+                return -1;
+            }
             bytestream_get_buffer(&buf, dst, length);
             dst += length;
             break;