From 21d730f77e910810c1d3b2b69ce167d2da702be9 Mon Sep 17 00:00:00 2001
From: Daniel Kang <daniel.d.kang@gmail.com>
Date: Wed, 5 Jan 2011 23:46:33 -0500
Subject: [PATCH] Sanity check on buffer reads

---
 libavcodec/bfi.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/libavcodec/bfi.c b/libavcodec/bfi.c
index 91c8f6d..00631f0 100644
--- a/libavcodec/bfi.c
+++ b/libavcodec/bfi.c
@@ -47,7 +47,7 @@ static av_cold int bfi_decode_init(AVCodecContext * avctx)
 static int bfi_decode_frame(AVCodecContext * avctx, void *data,
                             int *data_size, AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data;
+    const uint8_t *buf = avpkt->data, *buf2 = avpkt->data;
     int buf_size = avpkt->size;
     BFIContext *bfi = avctx->priv_data;
     uint8_t *dst = bfi->dst;
@@ -99,6 +99,11 @@ static int bfi_decode_frame(AVCodecContext * avctx, void *data,
         unsigned int code = byte >> 6;
         unsigned int length = byte & ~0xC0;

+        if (buf-buf2 >= buf_size) {
+            av_log(NULL, AV_LOG_ERROR, "Input resolution larger than actual frame.\n");
+            return -1;
+        }
+
         /* Get length and offset(if required) */
         if (length == 0) {
             if (code == 1) {
--
1.7.2.2