avidec: Fix infinite loop caused by rounding of timestamps in non interleaved avis.

[ffmpeg] / libavcodec / vb.c

diff --git a/libavcodec/vb.c b/libavcodec/vb.c
index 622ea89790716b4b1b2ecd650b90f8ed4414596f..26967db7b25f88706c1ae7d9787fcbeed056ffd0 100644 (file)
--- a/libavcodec/vb.c
+++ b/libavcodec/vb.c
@@ -73,7 +73,7 @@ static void vb_decode_palette(VBDecContext *c, int data_size)
         return;
     }
     for(i = start; i <= start + size; i++)
-        c->pal[i] = bytestream_get_be24(&c->stream);
+        c->pal[i] = 0xFF << 24 | bytestream_get_be24(&c->stream);
 }
 
 static inline int check_pixel(uint8_t *buf, uint8_t *start, uint8_t *end)
@@ -205,7 +205,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
 
     if(c->pic.data[0])
         avctx->release_buffer(avctx, &c->pic);
-    c->pic.reference = 1;
+    c->pic.reference = 3;
     if(avctx->get_buffer(avctx, &c->pic) < 0){
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return -1;
@@ -221,10 +221,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
         offset = i + j * avctx->width;
         rest -= 4;
     }
+    if(rest < 0){
+        av_log(avctx, AV_LOG_ERROR, "not enough data\n");
+        return -1;
+    }
     if(flags & VB_HAS_VIDEO){
         size = bytestream_get_le32(&c->stream);
-        if(size > rest){
-            av_log(avctx, AV_LOG_ERROR, "Frame size is too big\n");
+        if(size > rest || size<4){
+            av_log(avctx, AV_LOG_ERROR, "Frame size invalid\n");
             return -1;
         }
         vb_decode_framedata(c, c->stream, size, offset);