From f0bf9e9c2a65e9a2b9d9e4e94f99acb191dc7ae7 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 15 Apr 2012 14:16:55 +0200
Subject: [PATCH] indeo: Check allocated tile size in
 ff_ivi_process_empty_tile()

This prevents writing into a too small array if some parameters changed
without the tile being reallocated.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/ivi_common.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index 64f7363345..ba8853bbec 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -486,6 +486,12 @@ void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
     void (*mc_no_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch,
                              int mc_type);
 
+    if( tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size) ){
+        av_log(avctx, AV_LOG_ERROR, "allocated tile size %d mismatches parameters %d in ff_ivi_process_empty_tile()\n",
+               tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size));
+        return;
+    }
+
     offs       = tile->ypos * band->pitch + tile->xpos;
     mb         = tile->mbs;
     ref_mb     = tile->ref_mbs;