From 8d3c99e825317b7efda5fd12e69896b47c700303 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Thu, 2 May 2013 21:52:08 +0200
Subject: mmvideo/mm_decode_inter: check horizontal coordinate too

Fixes out of array accesses

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/mmvideo.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'libavcodec/mmvideo.c')

diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c
index bf47f65..36dc9f9 100644
--- a/libavcodec/mmvideo.c
+++ b/libavcodec/mmvideo.c
@@ -151,6 +151,8 @@ static int mm_decode_inter(MmContext * s, int half_horiz, int half_vert)
             int replace_array = bytestream2_get_byte(&s->gb);
             for(j=0; j<8; j++) {
                 int replace = (replace_array >> (7-j)) & 1;
+                if (x + half_horiz >= s->avctx->width)
+                    return AVERROR_INVALIDDATA;
                 if (replace) {
                     int color = bytestream2_get_byte(&data_ptr);
                     s->frame.data[0][y*s->frame.linesize[0] + x] = color;
-- 
cgit v1.1