From e2b8b4caf6c0ae2b6a49520c3766c40924f1cb2d Mon Sep 17 00:00:00 2001
From: Benoit Fouet <benoit.fouet@free.fr>
Date: Wed, 26 Nov 2014 10:12:18 +0100
Subject: [PATCH] avformat/apngdec: validate frame dimensions.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavformat/apngdec.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c
index 8aa70a0333..276d7659d8 100644
--- a/libavformat/apngdec.c
+++ b/libavformat/apngdec.c
@@ -301,7 +301,11 @@ static int decode_fctl_chunk(AVFormatContext *s, APNGDemuxContext *ctx, AVPacket
         height != s->streams[0]->codec->height ||
         x_offset != 0 ||
         y_offset != 0) {
-        if (sequence_number == 0)
+        if (sequence_number == 0 ||
+            x_offset >= s->streams[0]->codec->width ||
+            width > s->streams[0]->codec->width - x_offset ||
+            y_offset >= s->streams[0]->codec->height ||
+            height > s->streams[0]->codec->height - y_offset)
             return AVERROR_INVALIDDATA;
         ctx->is_key_frame = 0;
     } else {