From 39a3a53b66fcc115bd8d0bc0a70db66791eab854 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 4 Mar 2012 06:25:06 +0100
Subject: [PATCH] pngdec: validate length.

Fixes out of array reading.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/pngdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 39afbdd045..55df8b0a57 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -427,7 +427,7 @@ static int decode_frame(AVCodecContext *avctx,
         if (s->bytestream >= s->bytestream_end)
             goto fail;
         length = bytestream_get_be32(&s->bytestream);
-        if (length > 0x7fffffff)
+        if (length > 0x7fffffff || length > s->bytestream_end - s->bytestream)
             goto fail;
         tag32 = bytestream_get_be32(&s->bytestream);
         tag = av_bswap32(tag32);