From b3675f890abee0bc446495711223a5c790234672 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 2 Jun 2012 19:56:10 +0200
Subject: [PATCH] bink: fix out of reference frame read

Fixes Ticket1374

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/bink.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/bink.c b/libavcodec/bink.c
index 8a9367d07d..4ad2e6fd76 100644
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -1128,6 +1128,11 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx,
                 xoff = get_value(c, BINK_SRC_X_OFF);
                 yoff = get_value(c, BINK_SRC_Y_OFF);
                 ref = prev + xoff + yoff * stride;
+                if (ref < ref_start || ref > ref_end) {
+                    av_log(c->avctx, AV_LOG_ERROR, "Copy out of bounds @%d, %d\n",
+                           bx*8 + xoff, by*8 + yoff);
+                    return -1;
+                }
                 c->dsp.put_pixels_tab[1][0](dst, ref, stride, 8);
                 memset(dctblock, 0, sizeof(*dctblock) * 64);
                 dctblock[0] = get_value(c, BINK_SRC_INTER_DC);