From f9eb6229447952c22cd3c3ba232bb3d1023ed5c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger@gmx.de>
Date: Sun, 29 Jan 2012 18:16:23 +0100
Subject: [PATCH] Fix offset validity checks.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Offsets are relative to the end of the header, not the
start of the buffer, thus the buffer size needs to be subtracted.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
---
 libavcodec/fraps.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c
index bbabfd9084..a7d5a73e41 100644
--- a/libavcodec/fraps.c
+++ b/libavcodec/fraps.c
@@ -186,12 +186,12 @@ static int decode_frame(AVCodecContext *avctx,
         }
         for(i = 0; i < planes; i++) {
             offs[i] = AV_RL32(buf + 4 + i * 4);
-            if(offs[i] >= buf_size || (i && offs[i] <= offs[i - 1] + 1024)) {
+            if(offs[i] >= buf_size - header_size || (i && offs[i] <= offs[i - 1] + 1024)) {
                 av_log(avctx, AV_LOG_ERROR, "Fraps: plane %i offset is out of bounds\n", i);
                 return -1;
             }
         }
-        offs[planes] = buf_size;
+        offs[planes] = buf_size - header_size;
         for(i = 0; i < planes; i++) {
             av_fast_padded_malloc(&s->tmpbuf, &s->tmpbuf_size, offs[i + 1] - offs[i] - 1024);
             if (!s->tmpbuf)