diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-02-29 00:30:35 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-02-29 00:30:35 +0100 |
| commit | 0e6aa0fef565fdb625673c60276e90c2ea091e8e (patch) | |
| tree | f0b08a7f4b465aaa0d9144e9b837b18294db3df6 /libavcodec/indeo3.c | |
| parent | f929abd0c3643b28a9552512d698cf61ad4d08fa (diff) | |
| parent | bbeb29133b55b7256d18f5aaab8b5c8e919a173a (diff) | |
| download | ffmpeg-0e6aa0fef565fdb625673c60276e90c2ea091e8e.tar.gz | |
Merge remote-tracking branch 'qatar/master'
* qatar/master:
adpcm: Clip step_index values read from the bitstream at the beginning of each frame.
oma: don't read beyond end of leaf_table.
doxygen: Remove documentation for non-existing parameters; misc small fixes.
Indeo3: fix crashes on corrupt bitstreams.
msmpeg4: Replace forward declaration by proper #include.
segment: implement wrap around
avf: reorder AVStream and AVFormatContext
aacdec: Remove erroneous reference to global gain from the out of bounds scalefactor error message.
Conflicts:
libavcodec/indeo3.c
libavformat/avformat.h
libavutil/avutil.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/indeo3.c')
| -rw-r--r-- | libavcodec/indeo3.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index dce75fe116..83effae859 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -727,6 +727,8 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx, SPLIT_CELL(ref_cell->height, curr_cell.height); ref_cell->ypos += curr_cell.height; ref_cell->height -= curr_cell.height; + if (ref_cell->height <= 0 || curr_cell.height <= 0) + return AVERROR_INVALIDDATA; } else if (code == V_SPLIT) { if (curr_cell.width > strip_width) { /* split strip */ @@ -735,6 +737,8 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx, SPLIT_CELL(ref_cell->width, curr_cell.width); ref_cell->xpos += curr_cell.width; ref_cell->width -= curr_cell.width; + if (ref_cell->width <= 0 || curr_cell.width <= 0) + return AVERROR_INVALIDDATA; } while (get_bits_left(&ctx->gb) >= 2) { /* loop until return */ @@ -890,14 +894,16 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, return AVERROR_INVALIDDATA; if (width != ctx->width || height != ctx->height) { + int res; + av_dlog(avctx, "Frame dimensions changed!\n"); ctx->width = width; ctx->height = height; free_frame_buffers(ctx); - if(allocate_frame_buffers(ctx, avctx) < 0) - return AVERROR_INVALIDDATA; + if ((res = allocate_frame_buffers(ctx, avctx)) < 0) + return res; avcodec_set_dimensions(avctx, width, height); } |