avcodec/ffv1dec: Use a different error message for the slice level CRC

[ffmpeg] / libavcodec / rasc.c

diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c
index e8e0740ddd5f3fa9888a94914aadc4b806d45e73..21fc43f325c761a8f0fec0cd5b87d9baaa75f9e4 100644 (file)
--- a/libavcodec/rasc.c
+++ b/libavcodec/rasc.c
@@ -215,7 +215,7 @@ static int decode_move(AVCodecContext *avctx,
     bytestream2_skip(gb, 8);
     compression = bytestream2_get_le32(gb);
 
-    if (nb_moves > INT32_MAX / 16)
+    if (nb_moves > INT32_MAX / 16 || nb_moves > avctx->width * avctx->height)
         return AVERROR_INVALIDDATA;
 
     uncompressed_size = 16 * nb_moves;
@@ -353,6 +353,8 @@ static int decode_dlta(AVCodecContext *avctx,
     compression = bytestream2_get_le32(gb);
 
     if (compression == 1) {
+        if (w * h * s->bpp * 3 < uncompressed_size)
+            return AVERROR_INVALIDDATA;
         ret = decode_zlib(avctx, avpkt, size, uncompressed_size);
         if (ret < 0)
             return ret;
@@ -680,6 +682,9 @@ static int decode_frame(AVCodecContext *avctx,
     while (bytestream2_get_bytes_left(gb) > 0) {
         unsigned type, size = 0;
 
+        if (bytestream2_get_bytes_left(gb) < 8)
+            return AVERROR_INVALIDDATA;
+
         type = bytestream2_get_le32(gb);
         if (type == KBND || type == BNDL) {
             intra = type == KBND;
@@ -718,12 +723,12 @@ static int decode_frame(AVCodecContext *avctx,
             return ret;
     }
 
-    if ((ret = ff_get_buffer(avctx, s->frame, 0)) < 0)
-        return ret;
-
     if (!s->frame2->data[0] || !s->frame1->data[0])
         return AVERROR_INVALIDDATA;
 
+    if ((ret = ff_get_buffer(avctx, s->frame, 0)) < 0)
+        return ret;
+
     copy_plane(avctx, s->frame2, s->frame);
     if (avctx->pix_fmt == AV_PIX_FMT_PAL8)
         memcpy(s->frame->data[1], s->frame2->data[1], 1024);