From 7543fd80e5c24aa835e4bcf5d8ef02b18f242018 Mon Sep 17 00:00:00 2001
From: Paul B Mahol <onemda@gmail.com>
Date: Fri, 13 Jul 2012 02:02:10 +0000
Subject: [PATCH] exr: check size of uncompressed buffer returned by
 uncompress()

The actual size of uncompressed buffer returned by uncompress() may be
smaller than expected, so abort decoding in such cases.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
---
 libavcodec/exr.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 52e8916796..f175706a3d 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -545,7 +545,10 @@ static int decode_frame(AVCodecContext *avctx,
                 const uint8_t *red_channel_buffer, *green_channel_buffer, *blue_channel_buffer, *alpha_channel_buffer = 0;
 
                 if ((s->compr == EXR_ZIP1 || s->compr == EXR_ZIP16) && data_size < uncompressed_size) {
-                    if (uncompress(s->tmp, &uncompressed_size, avpkt->data + line_offset, data_size) != Z_OK) {
+                    unsigned long dest_len = uncompressed_size;
+
+                    if (uncompress(s->tmp, &dest_len, avpkt->data + line_offset, data_size) != Z_OK ||
+                        dest_len != uncompressed_size) {
                         av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n");
                         return AVERROR(EINVAL);
                     }