avcodec/alsdec: Fix integer overflow in decode_var_block_data()

[ffmpeg] / libavcodec / clearvideo.c

diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c
index ad3012f7b789f1256a8b0c8d85a16decd786a0a5..26cdfb2731d70e5fd25fc9bd6ad3afa7e511779e 100644 (file)
--- a/libavcodec/clearvideo.c
+++ b/libavcodec/clearvideo.c
@@ -555,6 +555,9 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data,
     } else {
         int plane;
 
+        if (c->pmb_width * c->pmb_height > 8LL*(buf_size - bytestream2_tell(&gb)))
+            return AVERROR_INVALIDDATA;
+
         if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
             return ret;
 
@@ -662,7 +665,7 @@ static av_cold int clv_decode_init(AVCodecContext *avctx)
     }
 
     c->tile_shift = av_log2(c->tile_size);
-    if (1 << c->tile_shift != c->tile_size) {
+    if (1U << c->tile_shift != c->tile_size) {
         av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2.\n", c->tile_size);
         return AVERROR_INVALIDDATA;
     }