X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;ds=sidebyside;f=libavcodec%2Fcavsdec.c;h=692c77eb3900d8eb5659d965ab9c130bac9932ae;hb=2606c48391377681541111263de41c79adeffa49;hp=1c4f71824a1b9e8598219ab65a2734b4f7e3d61b;hpb=37bc8e3249c88b733bcc0d8c74cdf668292e4d63;p=ffmpeg

diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 1c4f71824a1..692c77eb390 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -676,7 +676,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
         }
         h->pred_mode_Y[pos] = predpred;
     }
-    pred_mode_uv = get_ue_golomb(gb);
+    pred_mode_uv = get_ue_golomb_31(gb);
     if (pred_mode_uv > 6) {
         av_log(h->avctx, AV_LOG_ERROR, "illegal intra chroma pred mode\n");
         return AVERROR_INVALIDDATA;
@@ -1101,11 +1101,20 @@ static int decode_pic(AVSContext *h)
         do {
             if (check_for_slice(h))
                 skip_count = -1;
-            if (h->skip_mode_flag && (skip_count < 0))
+            if (h->skip_mode_flag && (skip_count < 0)) {
+                if (get_bits_left(&h->gb) < 1) {
+                    ret = AVERROR_INVALIDDATA;
+                    break;
+                }
                 skip_count = get_ue_golomb(&h->gb);
+            }
             if (h->skip_mode_flag && skip_count--) {
                 decode_mb_p(h, P_SKIP);
             } else {
+                if (get_bits_left(&h->gb) < 1) {
+                    ret = AVERROR_INVALIDDATA;
+                    break;
+                }
                 mb_type = get_ue_golomb(&h->gb) + P_SKIP + h->skip_mode_flag;
                 if (mb_type > P_8X8)
                     ret = decode_mb_i(h, mb_type - P_8X8 - 1);
@@ -1119,11 +1128,20 @@ static int decode_pic(AVSContext *h)
         do {
             if (check_for_slice(h))
                 skip_count = -1;
-            if (h->skip_mode_flag && (skip_count < 0))
+            if (h->skip_mode_flag && (skip_count < 0)) {
+                if (get_bits_left(&h->gb) < 1) {
+                    ret = AVERROR_INVALIDDATA;
+                    break;
+                }
                 skip_count = get_ue_golomb(&h->gb);
+            }
             if (h->skip_mode_flag && skip_count--) {
                 ret = decode_mb_b(h, B_SKIP);
             } else {
+                if (get_bits_left(&h->gb) < 1) {
+                    ret = AVERROR_INVALIDDATA;
+                    break;
+                }
                 mb_type = get_ue_golomb(&h->gb) + B_SKIP + h->skip_mode_flag;
                 if (mb_type > B_8X8)
                     ret = decode_mb_i(h, mb_type - B_8X8 - 1);
@@ -1289,7 +1307,7 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     }
 }
 
-AVCodec ff_cavs_decoder = {
+const AVCodec ff_cavs_decoder = {
     .name           = "cavs",
     .long_name      = NULL_IF_CONFIG_SMALL("Chinese AVS (Audio Video Standard) (AVS1-P2, JiZhun profile)"),
     .type           = AVMEDIA_TYPE_VIDEO,