From cb4a101fbe2729f77d636c264b11789d251bfe84 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <martin@martin.st>
Date: Sun, 29 Sep 2013 01:24:20 +0300
Subject: [PATCH] rpza: Fix a buffer size check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We read 2 bytes for 15 out of 16 pixels, therefore we need to
have at least 30 bytes, not 16.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 7ba0cedbfeff5671b264d1d7e90777057b5714c6)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit f06e39fe6b272a11782c023c31eec43bfce3138d)
---
 libavcodec/rpza.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
index 59c3a7b3a7..c0cea865df 100644
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -202,7 +202,7 @@ static void rpza_decode_stream(RpzaContext *s)
 
         /* Fill block with 16 colors */
         case 0x00:
-            if (s->size - stream_ptr < 16)
+            if (s->size - stream_ptr < 30)
                 return;
             block_ptr = row_ptr + pixel_ptr;
             for (pixel_y = 0; pixel_y < 4; pixel_y++) {