From 696ace50ea91a65dff887aaf5296f42a2fbc8f6c Mon Sep 17 00:00:00 2001
From: Janne Grunau <janne-libav@jannau.net>
Date: Thu, 5 Jan 2012 21:28:03 +0100
Subject: [PATCH] truemotion2: check size before GetBitContext initialisation

Prevents null ptr derefence for negative sizes.
---
 libavcodec/truemotion2.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index 8d72bb6df0..4045342ffa 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -272,6 +272,8 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
             len = AV_RB32(buf); buf += 4; cur += 4;
         }
         if(len > 0) {
+            if (skip <= cur)
+                return -1;
             init_get_bits(&ctx->gb, buf, (skip - cur) * 8);
             if(tm2_read_deltas(ctx, stream_id) == -1)
                 return -1;
@@ -286,6 +288,8 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
     buf += 4; cur += 4;
     buf += 4; cur += 4; /* unused by decoder */
 
+    if (skip <= cur)
+        return -1;
     init_get_bits(&ctx->gb, buf, (skip - cur) * 8);
     if(tm2_build_huff_table(ctx, &codes) == -1)
         return -1;
@@ -303,6 +307,8 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
     ctx->tok_lens[stream_id] = toks;
     len = AV_RB32(buf); buf += 4; cur += 4;
     if(len > 0) {
+        if (skip <= cur)
+            return -1;
         init_get_bits(&ctx->gb, buf, (skip - cur) * 8);
         for(i = 0; i < toks; i++) {
             if (get_bits_left(&ctx->gb) <= 0) {