From 9ebe6e391071690dbee79a645c51b14bd55c2ff4 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 2 Jun 2012 02:37:36 +0200
Subject: [PATCH] ffv1: fix integer overflow in quant table initialization

Fixes part of Ticket1372

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/ffv1.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c
index 79409e2a16..21f17611a1 100644
--- a/libavcodec/ffv1.c
+++ b/libavcodec/ffv1.c
@@ -1651,9 +1651,9 @@ static int read_quant_table(RangeCoder *c, int16_t *quant_table, int scale){
     memset(state, 128, sizeof(state));
 
     for(v=0; i<128 ; v++){
-        int len= get_symbol(c, state, 0) + 1;
+        unsigned len= get_symbol(c, state, 0) + 1;
 
-        if(len + i > 128) return -1;
+        if(len > 128 - i) return -1;
 
         while(len--){
             quant_table[i] = scale*v;