@@ -646,7 +646,7 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data,

     int magic;

     int got_header = 0;

     uint32_t chunk_size;

-    int chunk_type;

+    int chunk_type, chunk_start;

     int i;

     int ret;

@@ -672,8 +672,9 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data,

     }

     while (bytestream2_get_bytes_left(&bc) > 5) {

-        chunk_size = bytestream2_get_le32(&bc) - 1;

-        chunk_type = bytestream2_get_byte(&bc);

+        chunk_size  = bytestream2_get_le32(&bc) - 1;

+        chunk_type  = bytestream2_get_byte(&bc);

+        chunk_start = bytestream2_tell(&bc);

         if (chunk_size > bytestream2_get_bytes_left(&bc)) {

             av_log(avctx, AV_LOG_ERROR, "Invalid chunk size %d type %02X\n",

                    chunk_size, chunk_type);

@@ -722,8 +723,6 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data,

             c->tiles_x = (c->width  + c->tile_width  - 1) / c->tile_width;

             c->tiles_y = (c->height + c->tile_height - 1) / c->tile_height;

             c->bpp = bytestream2_get_byte(&bc);

-            chunk_size -= 21;

-            bytestream2_skip(&bc, chunk_size);

             if (g2m_init_buffers(c)) {

                 ret = AVERROR(ENOMEM);

                 goto header_fail;

@@ -734,7 +733,6 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data,

             if (!c->tiles_x || !c->tiles_y) {

                 av_log(avctx, AV_LOG_WARNING,

                        "No display info - skipping tile\n");

-                bytestream2_skip(&bc, bytestream2_get_bytes_left(&bc));

                 break;

             }

             if (chunk_size < 2) {

@@ -750,7 +748,6 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data,

                        c->tile_x, c->tile_y, c->tiles_x, c->tiles_y);

                 break;

             }

-            chunk_size -= 2;

             ret = 0;

             switch (c->compression) {

             case COMPR_EPIC_J_B:

@@ -760,13 +757,12 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data,

             case COMPR_KEMPF_J_B:

                 ret = kempf_decode_tile(c, c->tile_x, c->tile_y,

                                         buf + bytestream2_tell(&bc),

-                                        chunk_size);

+                                        chunk_size - 2);

                 break;

             }

             if (ret && c->framebuf)

                 av_log(avctx, AV_LOG_ERROR, "Error decoding tile %d,%d\n",

                        c->tile_x, c->tile_y);

-            bytestream2_skip(&bc, chunk_size);

             break;

         case CURSOR_POS:

             if (chunk_size < 5) {

@@ -776,7 +772,6 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data,

             }

             c->cursor_x = bytestream2_get_be16(&bc);

             c->cursor_y = bytestream2_get_be16(&bc);

-            bytestream2_skip(&bc, chunk_size - 4);

             break;

         case CURSOR_SHAPE:

             if (chunk_size < 8) {

@@ -787,17 +782,17 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data,

             bytestream2_init(&tbc, buf + bytestream2_tell(&bc),

                              chunk_size - 4);

             g2m_load_cursor(avctx, c, &tbc);

-            bytestream2_skip(&bc, chunk_size);

             break;

         case CHUNK_CC:

         case CHUNK_CD:

-            bytestream2_skip(&bc, chunk_size);

             break;

         default:

             av_log(avctx, AV_LOG_WARNING, "Skipping chunk type %02X\n",

                    chunk_type);

-            bytestream2_skip(&bc, chunk_size);

         }

+

+        /* navigate to next chunk */

+        bytestream2_skip(&bc, chunk_start + chunk_size - bytestream2_tell(&bc));

     }

     if (got_header)

         c->got_header = 1;