Merge remote-tracking branch 'qatar/master'

[ffmpeg] / libavcodec / roqvideodec.c

diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c
index 4af7ede9ad2369e83fb11bfb660c03f8db322525..161e7da08a48a2aa873792ff6091958a853b996a 100644 (file)
--- a/libavcodec/roqvideodec.c
+++ b/libavcodec/roqvideodec.c
@@ -71,9 +71,17 @@ static void roqvideo_decode_frame(RoqContext *ri)
     }
 
     bpos = xpos = ypos = 0;
+    if (chunk_size > buf_end - buf) {
+        av_log(ri->avctx, AV_LOG_ERROR, "Chunk does not fit in input buffer\n");
+        chunk_size = buf_end - buf;
+    }
     while(bpos < chunk_size) {
         for (yp = ypos; yp < ypos + 16; yp += 8)
             for (xp = xpos; xp < xpos + 16; xp += 8) {
+                if (bpos >= chunk_size) {
+                    av_log(ri->avctx, AV_LOG_ERROR, "Input buffer too small\n");
+                    return;
+                }
                 if (vqflg_pos < 0) {
                     vqflg = buf[bpos++]; vqflg |= (buf[bpos++] << 8);
                     vqflg_pos = 7;
@@ -103,6 +111,10 @@ static void roqvideo_decode_frame(RoqContext *ri)
                         if(k & 0x01) x += 4;
                         if(k & 0x02) y += 4;
 
+                        if (bpos >= chunk_size) {
+                            av_log(ri->avctx, AV_LOG_ERROR, "Input buffer too small\n");
+                            return;
+                        }
                         if (vqflg_pos < 0) {
                             vqflg = buf[bpos++];
                             vqflg |= (buf[bpos++] << 8);
@@ -177,6 +189,7 @@ static int roq_decode_frame(AVCodecContext *avctx,
     RoqContext *s = avctx->priv_data;
     int copy= !s->current_frame->data[0];
 
+    s->current_frame->reference = 3;
     if (avctx->reget_buffer(avctx, s->current_frame)) {
         av_log(avctx, AV_LOG_ERROR, "  RoQ: get_buffer() failed\n");
         return -1;