From a84851bef8b7c99708ac5c7d0cddd6f8a7ee4d9e Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 26 Mar 2012 22:11:53 +0200
Subject: [PATCH] indeo3dec: check mv bitstream pointer

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/indeo3.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 62cd835a9b..c24252a043 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -801,6 +801,10 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
                 /* get motion vector index and setup the pointer to the mv set */
                 if (!ctx->need_resync)
                     ctx->next_cell_data = &ctx->gb.buffer[(get_bits_count(&ctx->gb) + 7) >> 3];
+                if (ctx->next_cell_data >= ctx->last_byte) {
+                    av_log(avctx, AV_LOG_ERROR, "motion vector out of array\n");
+                    return AVERROR_INVALIDDATA;
+                }
                 mv_idx = *(ctx->next_cell_data++);
                 if (mv_idx >= ctx->num_vectors) {
                     av_log(avctx, AV_LOG_ERROR, "motion vector index out of range\n");