avfilter/af_astats: fix possible crash because of undefined float to integer rounding

[ffmpeg] / libavcodec / ituh263dec.c

diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c
index c37f872b3c0d1d1a1cb21fbcbaee651720027284..c9007b2fd646fc58bd28b2631554ba8cb62df432 100644 (file)
--- a/libavcodec/ituh263dec.c
+++ b/libavcodec/ituh263dec.c
@@ -34,6 +34,7 @@
 #include "libavutil/imgutils.h"
 #include "libavutil/internal.h"
 #include "libavutil/mathematics.h"
+#include "libavutil/mem_internal.h"
 #include "avcodec.h"
 #include "mpegvideo.h"
 #include "h263.h"
@@ -467,7 +468,7 @@ static int h263_decode_block(MpegEncContext * s, int16_t * block,
             level = s->last_dc[component];
             if (s->rv10_first_dc_coded[component]) {
                 diff = ff_rv_decode_dc(s, n);
-                if (diff == 0xffff)
+                if (diff < 0)
                     return -1;
                 level += diff;
                 level = level & 0xff; /* handle wrap round */
@@ -1218,6 +1219,11 @@ int ff_h263_decode_picture_header(MpegEncContext *s)
     if ((ret = av_image_check_size(s->width, s->height, 0, s)) < 0)
         return ret;
 
+    if (!(s->avctx->flags2 & AV_CODEC_FLAG2_CHUNKS)) {
+        if ((s->width * s->height / 256 / 8) > get_bits_left(&s->gb))
+            return AVERROR_INVALIDDATA;
+    }
+
     s->mb_width = (s->width  + 15) / 16;
     s->mb_height = (s->height  + 15) / 16;
     s->mb_num = s->mb_width * s->mb_height;