From bb29fee3a6a289f6b191177098ddce3720d8c417 Mon Sep 17 00:00:00 2001
From: Kostya Shishkov <kostya.shishkov@gmail.com>
Date: Mon, 22 Feb 2010 12:35:12 +0000
Subject: Make Bink decoder to stop decoding planes after all bits are used.
 This prevents crashes during decoding grayscale Bink files like samples from
 Impossible Creatures game demo.

Originally committed as revision 21961 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/bink.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'libavcodec')

diff --git a/libavcodec/bink.c b/libavcodec/bink.c
index 661f75fec3..fb483e0716 100644
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -681,6 +681,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
     DECLARE_ALIGNED_16(DCTELEM, block[64]);
     DECLARE_ALIGNED_16(uint8_t, ublock[64]);
     int coordmap[64];
+    int bits_count = pkt->size << 3;
 
     if(c->pic.data[0])
         avctx->release_buffer(avctx, &c->pic);
@@ -690,7 +691,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
         return -1;
     }
 
-    init_get_bits(&gb, pkt->data, pkt->size*8);
+    init_get_bits(&gb, pkt->data, bits_count);
     if (c->version >= 'i')
         skip_bits_long(&gb, 32);
 
@@ -901,6 +902,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
         }
         if (get_bits_count(&gb) & 0x1F) //next plane data starts at 32-bit boundary
             skip_bits_long(&gb, 32 - (get_bits_count(&gb) & 0x1F));
+        if (get_bits_count(&gb) >= bits_count)
+            break;
     }
     emms_c();
 
-- 
cgit v1.2.3