diff options
Diffstat (limited to 'libavcodec/bmv.c')
-rw-r--r-- | libavcodec/bmv.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/libavcodec/bmv.c b/libavcodec/bmv.c index 876c13f..48e9508 100644 --- a/libavcodec/bmv.c +++ b/libavcodec/bmv.c @@ -21,6 +21,7 @@ #include "avcodec.h" #include "bytestream.h" +#include "libavutil/avassert.h" enum BMVFlags{ BMV_NOP = 0, @@ -98,6 +99,8 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, } if (!(val & 0xC)) { for (;;) { + if(shift>22) + return -1; if (!read_two_nibbles) { if (src < source || src >= source_end) return -1; @@ -131,6 +134,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, } advance_mode = val & 1; len = (val >> 1) - 1; + av_assert0(len>0); mode += 1 + advance_mode; if (mode >= 4) mode -= 3; @@ -223,7 +227,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac return AVERROR_INVALIDDATA; } for (i = 0; i < 256; i++) - c->pal[i] = bytestream_get_be24(&c->stream); + c->pal[i] = 0xFF << 24 | bytestream_get_be24(&c->stream); } if (type & BMV_SCROLL) { if (c->stream - pkt->data > pkt->size - 2) { @@ -268,6 +272,11 @@ static av_cold int decode_init(AVCodecContext *avctx) c->avctx = avctx; avctx->pix_fmt = AV_PIX_FMT_PAL8; + if (avctx->width != SCREEN_WIDE || avctx->height != SCREEN_HIGH) { + av_log(avctx, AV_LOG_ERROR, "Invalid dimension %dx%d\n", avctx->width, avctx->height); + return AVERROR_INVALIDDATA; + } + c->pic.reference = 1; if (avctx->get_buffer(avctx, &c->pic) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); @@ -365,6 +374,7 @@ AVCodec ff_bmv_video_decoder = { .init = decode_init, .close = decode_end, .decode = decode_frame, + .capabilities = CODEC_CAP_DR1, .long_name = NULL_IF_CONFIG_SMALL("Discworld II BMV video"), }; |