From a1804df66a4064aa30554a11e4fd6cdac3ed89c0 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 3 Aug 2014 00:54:33 +0100
Subject: [PATCH] huffyuvdec: check width size for yuv422p

Avoid out of array accesses.

CC: libav-stable@libav.org
Bug-Id: CVE-2013-0848
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit a7153444df9040bf6ae103e0bbf6104b66f974cb)
Signed-off-by: Anton Khirnov <anton@khirnov.net>

Conflicts:
	libavcodec/huffyuvdec.c
---
 libavcodec/huffyuv.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
index 0933575f14..9630537584 100644
--- a/libavcodec/huffyuv.c
+++ b/libavcodec/huffyuv.c
@@ -538,6 +538,13 @@ s->bgr32=1;
         return AVERROR_INVALIDDATA;
     }
 
+    if (s->predictor == MEDIAN && avctx->pix_fmt == PIX_FMT_YUV422P &&
+        avctx->width % 4) {
+        av_log(avctx, AV_LOG_ERROR, "width must be multiple of 4 "
+               "for this combination of colorspace and predictor type.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     alloc_temp(s);
 
 //    av_log(NULL, AV_LOG_DEBUG, "pred:%d bpp:%d hbpp:%d il:%d\n", s->predictor, s->bitstream_bpp, avctx->bits_per_coded_sample, s->interlaced);