rv30: fix extradata size check.

It has been checking the number of bits in the offset instead of the
actual offset.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

libavcodec/rv30.c

@@ -34,6 +34,7 @@
 
 static int rv30_parse_slice_header(RV34DecContext *r, GetBitContext *gb, SliceInfo *si)
 {
+    AVCodecContext *avctx = r->s.avctx;
     int mb_bits;
     int w = r->s.width, h = r->s.height;
     int mb_size;
@@ -51,6 +52,13 @@ static int rv30_parse_slice_header(RV34DecContext *r, GetBitContext *gb, SliceIn
     si->pts = get_bits(gb, 13);
     rpr = get_bits(gb, r->rpr);
     if(rpr){
+        if (avctx->extradata_size < rpr * 2 + 8) {
+            av_log(avctx, AV_LOG_ERROR,
+                   "Insufficient extradata - need at least %d bytes, got %d\n",
+                   8 + rpr * 2, avctx->extradata_size);
+            return AVERROR(EINVAL);
+        }
+
         w = r->s.avctx->extradata[6 + rpr*2] << 2;
         h = r->s.avctx->extradata[7 + rpr*2] << 2;
     }
@@ -254,11 +262,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx)
     }
     r->rpr = (avctx->extradata[1] & 7) >> 1;
     r->rpr = FFMIN(r->rpr + 1, 3);
-    if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){
+
-        av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n",
-               6 + r->rpr * 2, avctx->extradata_size);
-        return AVERROR(EINVAL);
-    }
     r->parse_slice_header = rv30_parse_slice_header;
     r->decode_intra_types = rv30_decode_intra_types;
     r->decode_mb_info     = rv30_decode_mb_info;