X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fcavsdec.c;h=7a5f795dab8ef2bd8837373f394c047878ed9311;hb=faa5a2181df53b5226f998a20b735798addcd365;hp=6f4d6aca69f130d8dac447ef634add2cc600632f;hpb=85452f9ab7aaa6417e8c8b1b2eb285e7dce55a9c;p=ffmpeg diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 6f4d6aca69f..7a5f795dab8 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -465,7 +465,7 @@ static inline void mv_pred_direct(AVSContext *h, cavs_vector *pmv_fw, cavs_vector *col_mv) { cavs_vector *pmv_bw = pmv_fw + MV_BWD_OFFS; - int den = h->direct_den[col_mv->ref]; + unsigned den = h->direct_den[col_mv->ref]; int m = FF_SIGNBIT(col_mv->x); pmv_fw->dist = h->dist[1]; @@ -615,7 +615,7 @@ static inline int decode_residual_inter(AVSContext *h) /* get quantizer */ if (h->cbp && !h->qp_fixed) - h->qp = (h->qp + get_se_golomb(&h->gb)) & 63; + h->qp = (h->qp + (unsigned)get_se_golomb(&h->gb)) & 63; for (block = 0; block < 4; block++) if (h->cbp & (1 << block)) decode_residual_block(h, &h->gb, inter_dec, 0, h->qp, @@ -684,7 +684,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) } h->cbp = cbp_tab[cbp_code][0]; if (h->cbp && !h->qp_fixed) - h->qp = (h->qp + get_se_golomb(gb)) & 63; //qp_delta + h->qp = (h->qp + (unsigned)get_se_golomb(gb)) & 63; //qp_delta /* luma intra prediction interleaved with residual decode/transform/add */ for (block = 0; block < 4; block++) { @@ -1031,6 +1031,10 @@ static int decode_pic(AVSContext *h) h->scale_den[1] = h->dist[1] ? 512/h->dist[1] : 0; if (h->cur.f->pict_type == AV_PICTURE_TYPE_B) { h->sym_factor = h->dist[0] * h->scale_den[1]; + if (FFABS(h->sym_factor) > 32768) { + av_log(h->avctx, AV_LOG_ERROR, "sym_factor %d too large\n", h->sym_factor); + return AVERROR_INVALIDDATA; + } } else { h->direct_den[0] = h->dist[0] ? 16384 / h->dist[0] : 0; h->direct_den[1] = h->dist[1] ? 16384 / h->dist[1] : 0;