diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index e1824384c5..602de99f10 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -444,6 +444,8 @@ static int truemotion1_decode_header(TrueMotion1Context *s) if (s->flags & FLAG_KEYFRAME) { /* no change bits specified for a keyframe; only index bytes */ s->index_stream = s->mb_change_bits; + if (s->avctx->width * s->avctx->height / 2048 + header.header_size > s->size) + return AVERROR_INVALIDDATA; } else { /* one change bit per 4x4 block */ s->index_stream = s->mb_change_bits +