From 0bae6661cd171abf55cfa4b8970b08c470d65dee Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Fri, 1 Jun 2012 23:21:03 +0200
Subject: [PATCH] fraps: fix version 0/1 input data size check.

Fixes array overread.
Fixes Ticket1371

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/fraps.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c
index 30c23d8f3c..1cf4062a21 100644
--- a/libavcodec/fraps.c
+++ b/libavcodec/fraps.c
@@ -161,17 +161,17 @@ static int decode_frame(AVCodecContext *avctx,
         unsigned needed_size = avctx->width*avctx->height*3;
         if (version == 0) needed_size /= 2;
         needed_size += header_size;
-        if (buf_size != needed_size && buf_size != header_size) {
-            av_log(avctx, AV_LOG_ERROR,
-                   "Invalid frame length %d (should be %d)\n",
-                   buf_size, needed_size);
-            return -1;
-        }
         /* bit 31 means same as previous pic */
         if (header & (1U<<31)) {
             *data_size = 0;
             return buf_size;
         }
+        if (buf_size != needed_size) {
+            av_log(avctx, AV_LOG_ERROR,
+                   "Invalid frame length %d (should be %d)\n",
+                   buf_size, needed_size);
+            return -1;
+        }
     } else {
         /* skip frame */
         if (buf_size == 8) {