From b1e242bc565665420661e016127fe07b4b615ecb Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 10 Jul 2015 16:54:51 +0200
Subject: [PATCH] avcodec/g2meet: Check R/G/B values in
 epic_decode_pixel_pred()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: asan_double-free_d34593_861_smp3.wmv

Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/g2meet.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c
index b952adbb17..22efd7583a 100644
--- a/libavcodec/g2meet.c
+++ b/libavcodec/g2meet.c
@@ -555,6 +555,11 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int x, int y,
         B     = ((pred >> B_shift) & 0xFF) - TOSIGNED(delta);
     }
 
+    if (R<0 || G<0 || B<0) {
+        av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B);
+        return 0;
+    }
+
     return (R << R_shift) | (G << G_shift) | (B << B_shift);
 }