From 77bb0004bbe18f1498cfecdc68db5f10808b6599 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Thu, 28 Nov 2013 10:54:35 +0100
Subject: [PATCH] rpza: limit the number of blocks to the total remaining
 blocks in the frame

Fixes invalid writes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
---
 libavcodec/rpza.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
index 0efd7f4712..83dde7a9c3 100644
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -119,6 +119,8 @@ static void rpza_decode_stream(RpzaContext *s)
             }
         }
 
+        n_blocks = FFMIN(n_blocks, total_blocks);
+
         switch (opcode & 0xe0) {
 
         /* Skip blocks */