Merge remote-tracking branch 'qatar/master'

[ffmpeg] / libavcodec / truemotion1.c

diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c
index ccebef5495a110809a63a000afe5b85c11f77983..5a79101fc21cb853640c56bdabe1b0629c9ad08e 100644 (file)
--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -310,18 +310,17 @@ static int truemotion1_decode_header(TrueMotion1Context *s)
     int width_shift = 0;
     int new_pix_fmt;
     struct frame_header header;
-    uint8_t header_buffer[128];  /* logical maximum size of the header */
+    uint8_t header_buffer[128] = { 0 };  /* logical maximum size of the header */
     const uint8_t *sel_vector_table;
 
     header.header_size = ((s->buf[0] >> 5) | (s->buf[0] << 3)) & 0x7f;
-    if (s->buf[0] < 0x10)
+    if (s->buf[0] < 0x10 || header.header_size >= s->size)
     {
         av_log(s->avctx, AV_LOG_ERROR, "invalid header size (%d)\n", s->buf[0]);
         return -1;
     }
 
     /* unscramble the header bytes with a XOR operation */
-    memset(header_buffer, 0, 128);
     for (i = 1; i < header.header_size; i++)
         header_buffer[i - 1] = s->buf[i] ^ s->buf[i + 1];
 
@@ -901,5 +900,5 @@ AVCodec ff_truemotion1_decoder = {
     .close          = truemotion1_decode_end,
     .decode         = truemotion1_decode_frame,
     .capabilities   = CODEC_CAP_DR1,
-    .long_name = NULL_IF_CONFIG_SMALL("Duck TrueMotion 1.0"),
+    .long_name      = NULL_IF_CONFIG_SMALL("Duck TrueMotion 1.0"),
 };