proresdec: Fix read via negative index in a global array.

[ffmpeg] / libavcodec / eacmv.c

diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c
index ae2f94d8c498fcccd974f7e90907136bec5974ac..82ec9fc9fc74ee4f24f6bbd319114ef93ff9b668 100644 (file)
--- a/libavcodec/eacmv.c
+++ b/libavcodec/eacmv.c
@@ -141,7 +141,7 @@ static void cmv_process_header(CmvContext *s, const uint8_t *buf, const uint8_t
 
     buf += 16;
     for (i=pal_start; i<pal_start+pal_count && i<AVPALETTE_COUNT && buf_end - buf >= 3; i++) {
-        s->palette[i] = AV_RB24(buf);
+        s->palette[i] = 0xFF << 24 | AV_RB24(buf);
         buf += 3;
     }
 }
@@ -162,8 +162,11 @@ static int cmv_decode_frame(AVCodecContext *avctx,
         return AVERROR_INVALIDDATA;
 
     if (AV_RL32(buf)==MVIh_TAG||AV_RB32(buf)==MVIh_TAG) {
+        unsigned size = AV_RL32(buf + 4);
         cmv_process_header(s, buf+EA_PREAMBLE_SIZE, buf_end);
-        return buf_size;
+        if (size > buf_end - buf - EA_PREAMBLE_SIZE)
+            return -1;
+        buf += size;
     }
 
     if (av_image_check_size(s->width, s->height, 0, s->avctx))
@@ -176,7 +179,9 @@ static int cmv_decode_frame(AVCodecContext *avctx,
     FFSWAP(AVFrame, s->frame, s->last_frame);
 
     s->frame.reference = 3;
-    s->frame.buffer_hints = FF_BUFFER_HINTS_VALID;
+    s->frame.buffer_hints = FF_BUFFER_HINTS_VALID |
+                            FF_BUFFER_HINTS_READABLE |
+                            FF_BUFFER_HINTS_PRESERVE;
     if (avctx->get_buffer(avctx, &s->frame)<0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return -1;