avcodec/pnm_parser: Support concatenated ASCII images

[ffmpeg] / libavcodec / clearvideo.c

diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c
index 6061cb571ea202b7f1b71c875e9b3bd857ef2792..82df8f37522e646a20c2f920356cb716708ed1a6 100644 (file)
--- a/libavcodec/clearvideo.c
+++ b/libavcodec/clearvideo.c
@@ -516,11 +516,8 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data,
     frame_type = bytestream2_get_byte(&gb);
 
     if ((frame_type & 0x7f) == 0x30) {
-        if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
-            return ret;
-
-        c->pic->key_frame = 0;
-        c->pic->pict_type = AV_PICTURE_TYPE_P;
+        *got_frame = 0;
+        return buf_size;
     } else if (frame_type & 0x2) {
         if (buf_size < c->mb_width * c->mb_height) {
             av_log(avctx, AV_LOG_ERROR, "Packet too small\n");
@@ -558,6 +555,9 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data,
     } else {
         int plane;
 
+        if (c->pmb_width * c->pmb_height > 8LL*(buf_size - bytestream2_tell(&gb)))
+            return AVERROR_INVALIDDATA;
+
         if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
             return ret;
 
@@ -573,6 +573,8 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data,
 
         for (j = 0; j < c->pmb_height; j++) {
             for (i = 0; i < c->pmb_width; i++) {
+                if (get_bits_left(&c->gb) <= 0)
+                    return AVERROR_INVALIDDATA;
                 if (get_bits1(&c->gb)) {
                     MV mv = mvi_predict(&c->mvi, i, j, zero_mv);
 
@@ -640,6 +642,9 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data,
 
     *got_frame = 1;
 
+    if (get_bits_left(&c->gb) < 0)
+        av_log(c->avctx, AV_LOG_WARNING, "overread %d\n", -get_bits_left(&c->gb));
+
     return mb_ret < 0 ? mb_ret : buf_size;
 }