From 936eaa89be5de0eada9d188777427b97e568422a Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 2 Dec 2012 20:36:32 +0100
Subject: [PATCH] h264: check for integer overflow, fix null pointer
 dereference

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/h264.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index abed3649f9..b07c3cb143 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -4010,6 +4010,8 @@ again:
                            "SPS decoding failure, trying again with the complete NAL\n");
                     if (h->is_avc)
                         av_assert0(next_avc - buf_index + consumed == nalsize);
+                    if ((next_avc - buf_index + consumed - 1) >= INT_MAX/8)
+                        break;
                     init_get_bits(&s->gb, &buf[buf_index + 1 - consumed],
                                   8*(next_avc - buf_index + consumed - 1));
                     ff_h264_decode_seq_parameter_set(h);