avcodec/vmdvideo: Check len before using it in method 3

Fixes out of array access
Fixes: asan_heap-oob_4d23ba_91_cov_3853393937_128.vmd

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3030fb7e0d41836f8add6399e9a7c7b740b48bfd)

Conflicts:

	libavcodec/vmdvideo.c

diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c
index 1f9694e..94ae895 100644 (file)
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@@ -339,7 +339,7 @@ static void vmd_decode(VmdVideoContext *s)
                         if (*pb++ == 0xFF)
                             len = rle_unpack(pb, pb_end - pb, len, &dp[ofs], frame_width - ofs);
                         else {
-                        if (pb_end - pb < len)
+                        if (ofs + len > frame_width || pb_end - pb < len)
                             return;
                             memcpy(&dp[ofs], pb, len);
                         }