aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorMike Melanson <mike@multimedia.cx>2003-05-12 04:28:35 +0000
committerMike Melanson <mike@multimedia.cx>2003-05-12 04:28:35 +0000
commit74c0ac127407847525a7fe38818de0dd772a20b9 (patch)
treeb64321e839c1992b135e0427eee4b3f9a50ab28b /libavcodec
parentaffd55a1329cafa929108811f48f22a5e916aeb2 (diff)
downloadffmpeg-74c0ac127407847525a7fe38818de0dd772a20b9.tar.gz
fix image buffer leak on keyframes, add more error condition checks
Originally committed as revision 1856 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/vp3.c33
1 files changed, 26 insertions, 7 deletions
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index 80f10088a7..409e7923ad 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -280,8 +280,8 @@ typedef struct Vp3DecodeContext {
* numbers corresponds to the fragment indices 0..5 which comprise
* the macroblock (4 Y fragments and 2 C fragments). */
int *macroblock_fragments;
- /* This is an array of that indicates how a particular
- * macroblock is coded. */
+ /* This is an array that indicates how a particular macroblock
+ * is coded. */
unsigned char *macroblock_coding;
int first_coded_y_fragment;
@@ -1656,6 +1656,16 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
DCTELEM coeff;
Vp3Fragment *fragment;
+ if ((first_fragment < 0) ||
+ (first_fragment >= s->fragment_count) ||
+ (last_fragment < 0) ||
+ (last_fragment >= s->fragment_count)) {
+
+ printf (" vp3:unpack_vlcs(): bad fragment number (%d -> %d ?)\n",
+ first_fragment, last_fragment);
+ return 1;
+ }
+
for (i = first_fragment; i <= last_fragment; i++) {
fragment = &s->all_fragments[s->coded_fragment_list[i]];
@@ -2117,6 +2127,11 @@ static void render_fragments(Vp3DecodeContext *s,
/* for each fragment in a row... */
for (x = 0; x < width; x += 8, i++) {
+ if ((i < 0) || (i >= s->fragment_count)) {
+ printf (" vp3:render_fragments(): bad fragment number (%d)\n", i);
+ return;
+ }
+
/* transform if this block was coded */
if (s->all_fragments[i].coding_method != MODE_COPY) {
@@ -2418,11 +2433,15 @@ static int vp3_decode_frame(AVCodecContext *avctx,
counter++;
if (s->keyframe) {
- if ((s->golden_frame.data[0]) &&
- (s->last_frame.data[0] == s->golden_frame.data[0]))
- avctx->release_buffer(avctx, &s->golden_frame);
- else if (s->last_frame.data[0])
- avctx->release_buffer(avctx, &s->last_frame);
+ if (s->last_frame.data[0] == s->golden_frame.data[0]) {
+ if (s->golden_frame.data[0])
+ avctx->release_buffer(avctx, &s->golden_frame);
+ } else {
+ if (s->golden_frame.data[0])
+ avctx->release_buffer(avctx, &s->golden_frame);
+ if (s->last_frame.data[0])
+ avctx->release_buffer(avctx, &s->last_frame);
+ }
s->golden_frame.reference = 0;
if(avctx->get_buffer(avctx, &s->golden_frame) < 0) {