From 427802324098eff19b307b486179b56d8b50b9a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger@gmx.de>
Date: Thu, 5 Jan 2012 18:25:40 +0100
Subject: [PATCH] Check for overread in vqa video decoder.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This issue was discovered while decoding the FATE sample vqa/ws_snd.vqa.
For some unknown reason only audio decoding is tested by FATE for that file,
but not video.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
---
 libavcodec/vqavideo.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index 917e04be47..ae99c6d9c1 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -322,10 +322,17 @@ static void vqa_decode_chunk(VqaContext *s)
     int hibytes = s->decode_buffer_size / 2;
 
     /* first, traverse through the frame and find the subchunks */
-    while (index < s->size) {
+    while (index + CHUNK_PREAMBLE_SIZE <= s->size) {
+        unsigned next_index;
 
         chunk_type = AV_RB32(&s->buf[index]);
         chunk_size = AV_RB32(&s->buf[index + 4]);
+        byte_skip = chunk_size & 0x01;
+        next_index = index + CHUNK_PREAMBLE_SIZE + chunk_size + byte_skip;
+        if (next_index > s->size) {
+            av_log(s->avctx, AV_LOG_ERROR, "Dropping incomplete chunk\n");
+            break;
+        }
 
         switch (chunk_type) {
 
@@ -366,9 +373,7 @@ static void vqa_decode_chunk(VqaContext *s)
             chunk_type);
             break;
         }
-
-        byte_skip = chunk_size & 0x01;
-        index += (CHUNK_PREAMBLE_SIZE + chunk_size + byte_skip);
+        index = next_index;
     }
 
     /* next, deal with the palette */