From b81d804f2ac113a46d1736751401d78f998db56d Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 11 Nov 2012 18:08:39 +0100
Subject: [PATCH] zmbvdec: Check the buffer size for uncompressed data
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Also don't pointlessly set the buffer size to 1 after copying
one packet.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0d61f260010707f3028b818e8b24598e1a83d696)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavcodec/zmbv.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c
index a36a844b1f..9df0d53525 100644
--- a/libavcodec/zmbv.c
+++ b/libavcodec/zmbv.c
@@ -497,8 +497,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
      }
 
      if (c->comp == 0) { //Uncompressed data
+         if (c->decomp_size < len) {
+             av_log(avctx, AV_LOG_ERROR, "Buffer too small\n");
+             return AVERROR_INVALIDDATA;
+         }
          memcpy(c->decomp_buf, buf, len);
-         c->decomp_size = 1;
      } else { // ZLIB-compressed data
         c->zstream.total_in = c->zstream.total_out = 0;
         c->zstream.next_in = buf;