/* load up the VQA parameters from the header */
vqa_header = (unsigned char *)s->avctx->extradata;
s->vqa_version = vqa_header[0];
+ if (s->vqa_version < 1 || s->vqa_version > 3) {
+ av_log(s->avctx, AV_LOG_ERROR, " VQA video: unsupported version %d\n", s->vqa_version);
+ return -1;
+ }
s->width = AV_RL16(&vqa_header[6]);
s->height = AV_RL16(&vqa_header[8]);
if(av_image_check_size(s->width, s->height, 0, avctx)){
src_index += 2;
av_dlog(NULL, "(1) copy %X bytes from absolute pos %X\n", count, src_pos);
CHECK_COUNT();
+ if (src_pos + count > dest_size)
+ return;
for (i = 0; i < count; i++)
dest[dest_index + i] = dest[src_pos + i];
dest_index += count;
src_index += 2;
av_dlog(NULL, "(3) copy %X bytes from absolute pos %X\n", count, src_pos);
CHECK_COUNT();
+ if (src_pos + count > dest_size)
+ return;
for (i = 0; i < count; i++)
dest[dest_index + i] = dest[src_pos + i];
dest_index += count;
src_index += 2;
av_dlog(NULL, "(5) copy %X bytes from relpos %X\n", count, src_pos);
CHECK_COUNT();
+ if (dest_index < src_pos)
+ return;
for (i = 0; i < count; i++)
dest[dest_index + i] = dest[dest_index - src_pos + i];
dest_index += count;
int hibytes = s->decode_buffer_size / 2;
/* first, traverse through the frame and find the subchunks */
- while (index < s->size) {
+ while (index + CHUNK_PREAMBLE_SIZE <= s->size) {
+ unsigned next_index;
chunk_type = AV_RB32(&s->buf[index]);
chunk_size = AV_RB32(&s->buf[index + 4]);
+ byte_skip = chunk_size & 0x01;
+ next_index = index + CHUNK_PREAMBLE_SIZE + chunk_size + byte_skip;
+ if (next_index > s->size) {
+ av_log(s->avctx, AV_LOG_ERROR, "Dropping incomplete chunk\n");
+ break;
+ }
switch (chunk_type) {
chunk_type);
break;
}
-
- byte_skip = chunk_size & 0x01;
- index += (CHUNK_PREAMBLE_SIZE + chunk_size + byte_skip);
+ index = next_index;
}
/* next, deal with the palette */
r = s->buf[cpl0_chunk++] * 4;
g = s->buf[cpl0_chunk++] * 4;
b = s->buf[cpl0_chunk++] * 4;
- s->palette[i] = (r << 16) | (g << 8) | (b);
+ s->palette[i] = 0xFF << 24 | r << 16 | g << 8 | b;
+ s->palette[i] |= s->palette[i] >> 6 & 0x30303;
}
}