From b53ed19aa74c447ca245702e2460534509be58fa Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Thu, 24 Jan 2013 04:02:14 +0100
Subject: [PATCH] lcldec: Check length before unsigned subtraction.

Fix integer overflow and out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/lcldec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c
index 159e0a1401..f8d45da95a 100644
--- a/libavcodec/lcldec.c
+++ b/libavcodec/lcldec.c
@@ -203,6 +203,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
                 ;
             } else if (c->flags & FLAG_MULTITHREAD) {
                 mthread_inlen = AV_RL32(encoded);
+                if (len < 8) {
+                    av_log(avctx, AV_LOG_ERROR, "len %d is too small\n", len);
+                    return AVERROR_INVALIDDATA;
+                }
                 mthread_inlen = FFMIN(mthread_inlen, len - 8);
                 mthread_outlen = AV_RL32(encoded+4);
                 mthread_outlen = FFMIN(mthread_outlen, c->decomp_size);