int i, count = FFMIN(palette_size / 3, 1 << s->ham);
int ham_count;
const uint8_t *const palette = avctx->extradata + AV_RB16(avctx->extradata);
+ int extra_space = 1;
+
+ if (avctx->codec_tag == MKTAG('P', 'B', 'M', ' ') && s->ham == 4)
+ extra_space = 4;
s->ham_buf = av_malloc((s->planesize * 8) + AV_INPUT_BUFFER_PADDING_SIZE);
if (!s->ham_buf)
return AVERROR(ENOMEM);
ham_count = 8 * (1 << s->ham);
- s->ham_palbuf = av_malloc((ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE);
+ s->ham_palbuf = av_malloc(extra_space * (ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE);
if (!s->ham_palbuf) {
av_freep(&s->ham_buf);
return AVERROR(ENOMEM);
{
const uint8_t *src_end = src + src_size;
int x = 0, y = 0, i;
- while (src + 5 <= src_end) {
+ while (src_end - src >= 5) {
int opcode;
opcode = *(int8_t *)src++;
if (opcode >= 0) {
int size = opcode + 1;
for (i = 0; i < size; i++) {
int length = FFMIN(size - i, width);
+ if (src_end - src < length * 4)
+ return;
memcpy(dst + y*linesize + x * 4, src, length * 4);
src += length * 4;
x += length;
bytestream2_init(&gb, buf + ofssrc, buf_end - (buf + ofssrc));
entries = bytestream2_get_be32(&gb);
+ if (entries * 8LL > bytestream2_get_bytes_left(&gb))
+ return;
+
while (entries && bytestream2_get_bytes_left(&gb) >= 8) {
int32_t opcode = bytestream2_get_be32(&gb);
unsigned offset = bytestream2_get_be32(&gb);
projects / ffmpeg / blobdiff