Merge commit '458e53f51fc75d08df884f8e9eb3d7ded23e97b3'

[ffmpeg] / libavcodec / dirac_parser.c

diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c
index 83c35a201061710dd5e4c0eda8aab27f2770b407..1ca7e31f1cdfd3e3a27fd747c1ca97b2efa92699 100644 (file)
--- a/libavcodec/dirac_parser.c
+++ b/libavcodec/dirac_parser.c
@@ -100,10 +100,12 @@ typedef struct DiracParseUnit {
 static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc,
                              int offset)
 {
-    uint8_t *start = pc->buffer + offset;
-    uint8_t *end   = pc->buffer + pc->index;
-    if (start < pc->buffer || (start + 13 > end))
+    int8_t *start;
+
+    if (offset < 0 || pc->index - 13 < offset)
         return 0;
+
+    start = pc->buffer + offset;
     pu->pu_type = start[4];
 
     pu->next_pu_offset = AV_RB32(start + 5);
@@ -112,6 +114,15 @@ static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc,
     if (pu->pu_type == 0x10 && pu->next_pu_offset == 0)
         pu->next_pu_offset = 13;
 
+    if (pu->next_pu_offset && pu->next_pu_offset < 13) {
+        av_log(NULL, AV_LOG_ERROR, "next_pu_offset %d is invalid\n", pu->next_pu_offset);
+        return 0;
+    }
+    if (pu->prev_pu_offset && pu->prev_pu_offset < 13) {
+        av_log(NULL, AV_LOG_ERROR, "prev_pu_offset %d is invalid\n", pu->prev_pu_offset);
+        return 0;
+    }
+
     return 1;
 }
 
@@ -190,7 +201,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx,
         }
 
         /* Get the picture number to set the pts and dts*/
-        if (parse_timing_info) {
+        if (parse_timing_info && pu1.prev_pu_offset >= 13) {
             uint8_t *cur_pu = pc->buffer +
                               pc->index - 13 - pu1.prev_pu_offset;
             int pts = AV_RB32(cur_pu + 13);