proresdec: Fix read via negative index in a global array.

[ffmpeg] / libavcodec / proresdec2.c

diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c
index 82848a46e7221f0cbaa949b9ec31644cfa6eada0..9f801e447a975c041183c8764e251164f0c71e8c 100644 (file)
--- a/libavcodec/proresdec2.c
+++ b/libavcodec/proresdec2.c
@@ -73,7 +73,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
     ff_proresdsp_init(&ctx->prodsp, avctx);
 
     avctx->coded_frame = &ctx->frame;
-    ctx->frame.type = FF_I_TYPE;
+    ctx->frame.type = AV_PICTURE_TYPE_I;
     ctx->frame.key_frame = 1;
 
     ff_init_scantable_permutation(idct_permutation,
@@ -302,7 +302,7 @@ static av_always_inline void decode_dc_coeffs(GetBitContext *gb, DCTELEM *out,
     code = 5;
     sign = 0;
     for (i = 1; i < blocks_per_slice; i++, out += 64) {
-        DECODE_CODEWORD(code, dc_codebook[FFMIN(code, 6)]);
+        DECODE_CODEWORD(code, dc_codebook[FFMIN(code, 6U)]);
         if(code) sign ^= -(code & 1);
         else     sign  = 0;
         prev_dc += (((code + 1) >> 1) ^ sign) - sign;
@@ -443,7 +443,8 @@ static int decode_slice_thread(AVCodecContext *avctx, void *arg, int jobnr, int
     v_data_size = slice->data_size - y_data_size - u_data_size - hdr_size;
     if (hdr_size > 7) v_data_size = AV_RB16(buf + 6);
 
-    if (y_data_size < 0 || u_data_size < 0 || v_data_size < 0) {
+    if (y_data_size < 0 || u_data_size < 0 || v_data_size < 0
+        || hdr_size+y_data_size+u_data_size+v_data_size > slice->data_size){
         av_log(avctx, AV_LOG_ERROR, "invalid plane data size\n");
         return -1;
     }