From 6ad45600313f0df1abf31abdd28f4339dbdc7ca0 Mon Sep 17 00:00:00 2001
From: Paul B Mahol <onemda@gmail.com>
Date: Sat, 14 Jul 2012 23:27:21 +0000
Subject: [PATCH] mss1: improve check if decoded pivot is invalid

The pivot has to lie between 0 and base.
Check of ==base is insufficient.
Thus replace it by a proper check.

Fixes out of array write.

Fixes bug #1531.

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Paul B Mahol <onemda@gmail.com>
---
 libavcodec/mss1.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mss1.c b/libavcodec/mss1.c
index 302a5b84b1..4be7a1febf 100644
--- a/libavcodec/mss1.c
+++ b/libavcodec/mss1.c
@@ -575,7 +575,7 @@ static int decode_pivot(MSS1Context *ctx, ArithCoder *acoder, int base)
         val = arith_get_number(acoder, (base + 1) / 2 - 2) + 3;
     }
 
-    if (val == base) {
+    if ((unsigned)val >= base) {
         ctx->corrupted = 1;
         return 0;
     }