avcodec/pnm_parser: Support concatenated ASCII images

[ffmpeg] / libavcodec / clearvideo.c

diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c
index b4bfa3bda3e3627f66bea06b89b46e00fc04c9f1..82df8f37522e646a20c2f920356cb716708ed1a6 100644 (file)
--- a/libavcodec/clearvideo.c
+++ b/libavcodec/clearvideo.c
@@ -555,6 +555,9 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data,
     } else {
         int plane;
 
+        if (c->pmb_width * c->pmb_height > 8LL*(buf_size - bytestream2_tell(&gb)))
+            return AVERROR_INVALIDDATA;
+
         if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
             return ret;
 
@@ -570,6 +573,8 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data,
 
         for (j = 0; j < c->pmb_height; j++) {
             for (i = 0; i < c->pmb_width; i++) {
+                if (get_bits_left(&c->gb) <= 0)
+                    return AVERROR_INVALIDDATA;
                 if (get_bits1(&c->gb)) {
                     MV mv = mvi_predict(&c->mvi, i, j, zero_mv);
 
@@ -637,6 +642,9 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data,
 
     *got_frame = 1;
 
+    if (get_bits_left(&c->gb) < 0)
+        av_log(c->avctx, AV_LOG_WARNING, "overread %d\n", -get_bits_left(&c->gb));
+
     return mb_ret < 0 ? mb_ret : buf_size;
 }