Merge commit 'f1d8763a02b5fce9a7d9789e049d74a45b15e1e8'

[ffmpeg] / libavcodec / vmnc.c

diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c
index d3c86f1f977e9daa5d9be26d513232cde7a5e723..eb39fc923d1de7d0cfb4db5f8d7c6a423fc8d75b 100644 (file)
--- a/libavcodec/vmnc.c
+++ b/libavcodec/vmnc.c
@@ -285,7 +285,8 @@ static int decode_hextile(VmncContext *c, uint8_t* dst, const uint8_t* src, int
     return src - ssrc;
 }
 
-static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt)
+static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
+                        AVPacket *avpkt)
 {
     const uint8_t *buf = avpkt->data;
     int buf_size = avpkt->size;
@@ -345,6 +346,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
         size_left = buf_size - (src - buf);
         switch(enc) {
         case MAGIC_WMVd: // cursor
+            if (w*(int64_t)h*c->bpp2 > INT_MAX/2 - 2) {
+                av_log(avctx, AV_LOG_ERROR, "dimensions too large\n");
+                return AVERROR_INVALIDDATA;
+            }
             if(size_left < 2 + w * h * c->bpp2 * 2) {
                 av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", 2 + w * h * c->bpp2 * 2, size_left);
                 return -1;
@@ -450,7 +455,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
             put_cursor(outptr, c->pic.linesize[0], c, c->cur_x, c->cur_y);
         }
     }
-    *data_size = sizeof(AVFrame);
+    *got_frame      = 1;
     *(AVFrame*)data = c->pic;
 
     /* always report that the buffer was completely consumed */