]> git.sesse.net Git - ffmpeg/blobdiff - libavcodec/scpr.c
projects / ffmpeg / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer()
[ffmpeg] / libavcodec / scpr.c
diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c
index 465926af19f3ff8488607b86796fbaa93d2448ae..f6d1e45692de119b61cb923ff809cc2df29de84d 100644 (file)
--- a/libavcodec/scpr.c
+++ b/libavcodec/scpr.c
@@ -161,7 +161,7 @@ static int get_freq(RangeCoder *rc, unsigned total_freq, unsigned *freq)
 
 static int decode0(GetByteContext *gb, RangeCoder *rc, unsigned cumFreq, unsigned freq, unsigned total_freq)
 {
-    int t;
+    unsigned t;
 
     if (total_freq == 0)
         return AVERROR_INVALIDDATA;
@@ -261,6 +261,9 @@ static int decode_unit(SCPRContext *s, PixelModel *pixel, unsigned step, unsigne
             break;
         c++;
     }
+    if (x >= 16 || c >= 256) {
+        return AVERROR_INVALIDDATA;
+    }
 
     if ((ret = s->decode(gb, rc, cumfr, cnt_c, totfr)) < 0)
         return ret;
@@ -331,6 +334,9 @@ static int decompress_i(AVCodecContext *avctx, uint32_t *dst, int linesize)
         clr = (b << 16) + (g << 8) + r;
         k += run;
         while (run-- > 0) {
+            if (y >= avctx->height)
+                return AVERROR_INVALIDDATA;
+
             dst[y * linesize + x] = clr;
             lx = x;
             ly = y;
@@ -482,7 +488,7 @@ static int decompress_i(AVCodecContext *avctx, uint32_t *dst, int linesize)
 
         if (avctx->bits_per_coded_sample == 16) {
             cx1 = (clr & 0x3F00) >> 2;
-            cx = (clr & 0xFFFFFF) >> 16;
+            cx = (clr & 0x3FFFFF) >> 16;
         } else {
             cx1 = (clr & 0xFC00) >> 4;
             cx = (clr & 0xFFFFFF) >> 18;
@@ -720,7 +726,7 @@ static int decompress_p(AVCodecContext *avctx,
 
                     if (avctx->bits_per_coded_sample == 16) {
                         cx1 = (clr & 0x3F00) >> 2;
-                        cx = (clr & 0xFFFFFF) >> 16;
+                        cx = (clr & 0x3FFFFF) >> 16;
                     } else {
                         cx1 = (clr & 0xFC00) >> 4;
                         cx = (clr & 0xFFFFFF) >> 18;
Unnamed repository; edit this file 'description' to name the repository.