From 16a0d75c769a7df6f457b2200dbc9a7cc73798c6 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Fri, 23 Aug 2013 04:14:08 +0200
Subject: [PATCH] avcodec/mjpegdec: fix overread in find_marker()

Found-by: Laurent Butti <laurentb@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/mjpegdec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 6e16152724..f71acc20b2 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1610,7 +1610,7 @@ static int find_marker(const uint8_t **pbuf_ptr, const uint8_t *buf_end)
     int skipped = 0;
 
     buf_ptr = *pbuf_ptr;
-    while (buf_ptr < buf_end) {
+    while (buf_end - buf_ptr > 1) {
         v  = *buf_ptr++;
         v2 = *buf_ptr;
         if ((v == 0xff) && (v2 >= 0xc0) && (v2 <= 0xfe) && buf_ptr < buf_end) {
@@ -1619,6 +1619,7 @@ static int find_marker(const uint8_t **pbuf_ptr, const uint8_t *buf_end)
         }
         skipped++;
     }
+    buf_ptr = buf_end;
     val = -1;
 found:
     av_dlog(NULL, "find_marker skipped %d bytes\n", skipped);