libopusenc: prevent an out-of-bounds read by returning early

[ffmpeg] / libavcodec / eatgv.c

diff --git a/libavcodec/eatgv.c b/libavcodec/eatgv.c
index 92d914ef5472ed6431ac7e43a064e2e7cba7f9ca..c400b56713b505bd055329cd9c2d2616e16decff 100644 (file)
--- a/libavcodec/eatgv.c
+++ b/libavcodec/eatgv.c
@@ -40,7 +40,7 @@
 
 typedef struct TgvContext {
     AVCodecContext *avctx;
-    AVFrame last_frame;
+    AVFrame *last_frame;
     uint8_t *frame_buffer;
     int width,height;
     uint32_t palette[AVPALETTE_COUNT];
@@ -55,8 +55,13 @@ static av_cold int tgv_decode_init(AVCodecContext *avctx)
 {
     TgvContext *s = avctx->priv_data;
     s->avctx         = avctx;
-    avctx->time_base = (AVRational){1, 15};
+    avctx->framerate = (AVRational){ 15, 1 };
     avctx->pix_fmt   = AV_PIX_FMT_PAL8;
+
+    s->last_frame = av_frame_alloc();
+    if (!s->last_frame)
+        return AVERROR(ENOMEM);
+
     return 0;
 }
 
@@ -173,7 +178,11 @@ static int tgv_decode_inter(TgvContext *s, AVFrame *frame,
     }
 
     if (num_blocks_packed > s->num_blocks_packed) {
-        s->block_codebook = av_realloc(s->block_codebook, num_blocks_packed*16);
+        int err;
+        if ((err = av_reallocp(&s->block_codebook, num_blocks_packed * 16)) < 0) {
+            s->num_blocks_packed = 0;
+            return err;
+        }
         s->num_blocks_packed = num_blocks_packed;
     }
 
@@ -223,8 +232,8 @@ static int tgv_decode_inter(TgvContext *s, AVFrame *frame,
                     my < 0 || my + 4 > s->avctx->height)
                     continue;
 
-                src = s->last_frame.data[0] + mx + my * s->last_frame.linesize[0];
-                src_stride = s->last_frame.linesize[0];
+                src = s->last_frame->data[0] + mx + my * s->last_frame->linesize[0];
+                src_stride = s->last_frame->linesize[0];
             } else {
                 int offset = vector - num_mvs;
                 if (offset < num_blocks_raw)
@@ -270,7 +279,7 @@ static int tgv_decode_frame(AVCodecContext *avctx,
         s->height = AV_RL16(&buf[2]);
         if (s->avctx->width != s->width || s->avctx->height != s->height) {
             av_freep(&s->frame_buffer);
-            av_frame_unref(&s->last_frame);
+            av_frame_unref(s->last_frame);
             if ((ret = ff_set_dimensions(s->avctx, s->width, s->height)) < 0)
                 return ret;
         }
@@ -306,7 +315,7 @@ static int tgv_decode_frame(AVCodecContext *avctx,
                    s->frame_buffer + y * s->width,
                    s->width);
     } else {
-        if (!s->last_frame.data[0]) {
+        if (!s->last_frame->data[0]) {
             av_log(avctx, AV_LOG_WARNING, "inter frame without corresponding intra frame\n");
             return buf_size;
         }
@@ -318,8 +327,8 @@ static int tgv_decode_frame(AVCodecContext *avctx,
         }
     }
 
-    av_frame_unref(&s->last_frame);
-    if ((ret = av_frame_ref(&s->last_frame, frame)) < 0)
+    av_frame_unref(s->last_frame);
+    if ((ret = av_frame_ref(s->last_frame, frame)) < 0)
         return ret;
 
     *got_frame = 1;
@@ -330,7 +339,7 @@ static int tgv_decode_frame(AVCodecContext *avctx,
 static av_cold int tgv_decode_end(AVCodecContext *avctx)
 {
     TgvContext *s = avctx->priv_data;
-    av_frame_unref(&s->last_frame);
+    av_frame_free(&s->last_frame);
     av_freep(&s->frame_buffer);
     av_free(s->mv_codebook);
     av_free(s->block_codebook);