exr: make sure that data_size is not bigger than expected

Signed-off-by: Paul B Mahol <onemda@gmail.com>

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 59144a2..cef5e0c 100644 (file)
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -270,7 +270,8 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
     uncompressed_size = s->scan_line_size * FFMIN(s->scan_lines_per_block, s->ymax - line + 1);
     if ((s->compr == EXR_RAW && (data_size != uncompressed_size ||
                                  line_offset > buf_size - uncompressed_size)) ||
-        (s->compr != EXR_RAW && line_offset > buf_size - data_size)) {
+        (s->compr != EXR_RAW && (data_size > uncompressed_size ||
+                                 line_offset > buf_size - data_size))) {
         return AVERROR_INVALIDDATA;
     }