From 9879b506b0843bffdd7fe2b25ac8b0cd1cf043a6 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 24 Mar 2012 17:42:14 +0100
Subject: [PATCH] truemotion2dec: Fix overread of input.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/truemotion2.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index 1ccac321ac..e29845c088 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -256,6 +256,11 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
     int len, toks;
     TM2Codes codes;
 
+    if (buf_size < 4) {
+        av_log(ctx->avctx, AV_LOG_ERROR, "not enough space for len left\n");
+        return -1;
+    }
+
     /* get stream length in dwords */
     len = AV_RB32(buf); buf += 4; cur += 4;
     skip = len * 4 + 4;
@@ -795,7 +800,7 @@ static int decode_frame(AVCodecContext *avctx,
     }
 
     for(i = 0; i < TM2_NUM_STREAMS; i++){
-        t = tm2_read_stream(l, l->buffer + skip, tm2_stream_order[i], buf_size);
+        t = tm2_read_stream(l, l->buffer + skip, tm2_stream_order[i], buf_size - skip);
         if(t == -1){
             return -1;
         }