From d2a065437a96b5ab73f15362fe3d5cde3c61f160 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Thu, 28 Nov 2013 10:54:35 +0100
Subject: [PATCH] rpza: limit the number of blocks to the total remaining
 blocks in the frame

Fixes invalid writes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 77bb0004bbe18f1498cfecdc68db5f10808b6599)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavcodec/rpza.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
index 59b15c6d4f..63ea706749 100644
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -38,6 +38,7 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "libavutil/common.h"
 #include "libavutil/internal.h"
 #include "libavutil/intreadwrite.h"
 #include "avcodec.h"
@@ -126,6 +127,8 @@ static void rpza_decode_stream(RpzaContext *s)
             }
         }
 
+        n_blocks = FFMIN(n_blocks, total_blocks);
+
         switch (opcode & 0xe0) {
 
         /* Skip blocks */