diff options
Diffstat (limited to 'libavcodec/vb.c')
-rw-r--r-- | libavcodec/vb.c | 32 |
1 files changed, 24 insertions, 8 deletions
diff --git a/libavcodec/vb.c b/libavcodec/vb.c index 43954c1..c6dd6fb 100644 --- a/libavcodec/vb.c +++ b/libavcodec/vb.c @@ -2,20 +2,20 @@ * Beam Software VB decoder * Copyright (c) 2007 Konstantin Shishkov * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -73,7 +73,7 @@ static void vb_decode_palette(VBDecContext *c, int data_size) return; } for (i = start; i <= start + size; i++) - c->pal[i] = bytestream2_get_be24(&c->stream); + c->pal[i] = 0xFFU << 24 | bytestream2_get_be24(&c->stream); } static inline int check_pixel(uint8_t *buf, uint8_t *start, uint8_t *end) @@ -107,6 +107,10 @@ static int vb_decode_framedata(VBDecContext *c, int offset) blk2 = 0; for (blk = 0; blk < blocks; blk++) { if (!(blk & 3)) { + if (bytestream2_get_bytes_left(&g) < 1) { + av_log(c->avctx, AV_LOG_ERROR, "Insufficient data\n"); + return AVERROR_INVALIDDATA; + } blocktypes = bytestream2_get_byte(&g); } switch (blocktypes & 0xC0) { @@ -197,20 +201,26 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, bytestream2_init(&c->stream, avpkt->data, avpkt->size); - if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) { - av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; - } flags = bytestream2_get_le16(&c->stream); if (flags & VB_HAS_GMC) { i = (int16_t)bytestream2_get_le16(&c->stream); j = (int16_t)bytestream2_get_le16(&c->stream); + if (FFABS(j) > avctx->height) { + av_log(avctx, AV_LOG_ERROR, "GMV out of range\n"); + return AVERROR_INVALIDDATA; + } offset = i + j * avctx->width; } if (flags & VB_HAS_VIDEO) { size = bytestream2_get_le32(&c->stream); + if(size > bytestream2_get_bytes_left(&c->stream)+4 || size<4){ + av_log(avctx, AV_LOG_ERROR, "Frame size invalid\n"); + return -1; + } vb_decode_framedata(c, offset); bytestream2_skip(&c->stream, size - 4); } @@ -249,6 +259,12 @@ static av_cold int decode_init(AVCodecContext *avctx) c->frame = av_mallocz(avctx->width * avctx->height); c->prev_frame = av_mallocz(avctx->width * avctx->height); + if (!c->frame || !c->prev_frame) { + av_freep(&c->frame); + av_freep(&c->prev_frame); + return AVERROR(ENOMEM); + } + return 0; } |