From b2788fe9347c02b1355574f3d28d60bfe1250ea7 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Wed, 1 Feb 2017 11:50:38 +0100
Subject: [PATCH] svq3: fix the slice size check

Currently it incorrectly compares bits with bytes.

Also, move the check right before where it's relevant, so that the
correct number of remaining bits is used.

CC: libav-stable@libav.org
---
 libavcodec/svq3.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c
index 20c8f89e76..667d3906a1 100644
--- a/libavcodec/svq3.c
+++ b/libavcodec/svq3.c
@@ -1031,17 +1031,16 @@ static int svq3_decode_slice_header(AVCodecContext *avctx)
         slice_bits   = slice_length * 8;
         slice_bytes  = slice_length + length - 1;
 
-        if (slice_bytes > bitstream_bits_left(&s->bc)) {
-            av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n");
-            return -1;
-        }
-
         bitstream_skip(&s->bc, 8);
 
         av_fast_malloc(&s->slice_buf, &s->slice_size, slice_bytes + AV_INPUT_BUFFER_PADDING_SIZE);
         if (!s->slice_buf)
             return AVERROR(ENOMEM);
 
+        if (slice_bytes * 8 > bitstream_bits_left(&s->bc)) {
+            av_log(avctx, AV_LOG_ERROR, "slice after bitstream end\n");
+            return AVERROR_INVALIDDATA;
+        }
         memcpy(s->slice_buf, s->bc.buffer + bitstream_tell(&s->bc) / 8, slice_bytes);
 
         if (s->watermark_key) {