dsicinav: Bound-check the source buffer when needed

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit dd0bfc3a6a310e3e3674ce7742672d689a9a0e93)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c
index a379531613f4983821605dd166676c89d19d436c..108424c858917e9b0d6775d6d6c963fa557cfd67 100644 (file)
--- a/libavcodec/dsicinav.c
+++ b/libavcodec/dsicinav.c
@@ -187,11 +187,13 @@ static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char
     while (src < src_end && dst < dst_end) {
         code = *src++;
         if (code & 0x80) {
+            if (src >= src_end)
+                break;
             len = code - 0x7F;
             memset(dst, *src++, FFMIN(len, dst_end - dst));
         } else {
             len = code + 1;
-            memcpy(dst, src, FFMIN(len, dst_end - dst));
+            memcpy(dst, src, FFMIN3(len, dst_end - dst, src_end - src));
             src += len;
         }
         dst += len;