@@ -47,6 +47,7 @@ avs_decode_frame(AVCodecContext * avctx,

                  void *data, int *data_size, AVPacket *avpkt)

 {

     const uint8_t *buf = avpkt->data;

+    const uint8_t *buf_end = avpkt->data + avpkt->size;

     int buf_size = avpkt->size;

     AvsContext *const avs = avctx->priv_data;

     AVFrame *picture = data;

@@ -69,6 +70,8 @@ avs_decode_frame(AVCodecContext * avctx,

     out = avs->picture.data[0];

     stride = avs->picture.linesize[0];

+    if (buf_end - buf < 4)

+        return AVERROR_INVALIDDATA;

     sub_type = buf[0];

     type = buf[1];

     buf += 4;

@@ -79,6 +82,8 @@ avs_decode_frame(AVCodecContext * avctx,

         first = AV_RL16(buf);

         last = first + AV_RL16(buf + 2);

+        if (first >= 256 || last > 256 || buf_end - buf < 4 + 4 + 3 * (last - first))

+            return AVERROR_INVALIDDATA;

         buf += 4;

         for (i=first; i<last; i++, buf+=3)

             pal[i] = (buf[0] << 18) | (buf[1] << 10) | (buf[2] << 2);

@@ -114,9 +119,13 @@ avs_decode_frame(AVCodecContext * avctx,

       return -1;

     }

+    if (buf_end - buf < 256 * vect_w * vect_h)

+        return AVERROR_INVALIDDATA;

     table = buf + (256 * vect_w * vect_h);

     if (sub_type != AVS_I_FRAME) {

         int map_size = ((318 / vect_w + 7) / 8) * (198 / vect_h);

+        if (buf_end - table < map_size)

+            return AVERROR_INVALIDDATA;

         init_get_bits(&change_map, table, map_size * 8);

         table += map_size;

     }

@@ -124,6 +133,8 @@ avs_decode_frame(AVCodecContext * avctx,

     for (y=0; y<198; y+=vect_h) {

         for (x=0; x<318; x+=vect_w) {

             if (sub_type == AVS_I_FRAME || get_bits1(&change_map)) {

+                if (buf_end - table < 1)

+                    return AVERROR_INVALIDDATA;

                 vect = &buf[*table++ * (vect_w * vect_h)];

                 for (j=0; j<vect_w; j++) {

                     out[(y + 0) * stride + x + j] = vect[(0 * vect_w) + j];