From 71e78e1f513ec7356b1a5011bbfc71fcd2fd391b Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 24 Mar 2012 16:29:46 +0100
Subject: [PATCH] cavsdec: check stc in decode_slice_header()

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/cavsdec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index daebda26fd..8f87d5abcd 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -418,6 +418,10 @@ static void decode_mb_b(AVSContext *h, enum cavs_mb mb_type) {
 static inline int decode_slice_header(AVSContext *h, GetBitContext *gb) {
     if(h->stc > 0xAF)
         av_log(h->s.avctx, AV_LOG_ERROR, "unexpected start code 0x%02x\n", h->stc);
+
+    if (h->stc >= h->mb_height)
+        return -1;
+
     h->mby = h->stc;
     h->mbidx = h->mby*h->mb_width;