int ret;
av_frame_unref(s->frame1);
+ av_frame_unref(s->frame2);
if ((ret = ff_get_buffer(avctx, s->frame1, 0)) < 0)
return ret;
- av_frame_unref(s->frame2);
if ((ret = ff_get_buffer(avctx, s->frame2, 0)) < 0)
return ret;
bytestream2_skip(gb, 8);
compression = bytestream2_get_le32(gb);
- if (nb_moves > INT32_MAX / 16)
+ if (nb_moves > INT32_MAX / 16 || nb_moves > avctx->width * avctx->height)
return AVERROR_INVALIDDATA;
uncompressed_size = 16 * nb_moves;
compression = bytestream2_get_le32(gb);
if (compression == 1) {
+ if (w * h * s->bpp * 3 < uncompressed_size)
+ return AVERROR_INVALIDDATA;
ret = decode_zlib(avctx, avpkt, size, uncompressed_size);
if (ret < 0)
return ret;
while (bytestream2_get_bytes_left(gb) > 0) {
unsigned type, size = 0;
+ if (bytestream2_get_bytes_left(gb) < 8)
+ return AVERROR_INVALIDDATA;
+
type = bytestream2_get_le32(gb);
if (type == KBND || type == BNDL) {
intra = type == KBND;
return ret;
}
- if ((ret = ff_get_buffer(avctx, s->frame, 0)) < 0)
- return ret;
-
if (!s->frame2->data[0] || !s->frame1->data[0])
return AVERROR_INVALIDDATA;
+ if ((ret = ff_get_buffer(avctx, s->frame, 0)) < 0)
+ return ret;
+
copy_plane(avctx, s->frame2, s->frame);
if (avctx->pix_fmt == AV_PIX_FMT_PAL8)
memcpy(s->frame->data[1], s->frame2->data[1], 1024);