X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fcinepak.c;h=aeb15de0ed90b17bf811db591a91e6ce8f20d16a;hb=f3dfd34f27ae11279baa9e2e2525e990b7c858f4;hp=9b0077402f063794f6cfdda70b6b59442fa43e4f;hpb=4069096dd535ee99175c2a29c1a1f59c3fc110c1;p=ffmpeg

diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c
index 9b0077402f0..aeb15de0ed9 100644
--- a/libavcodec/cinepak.c
+++ b/libavcodec/cinepak.c
@@ -323,6 +323,9 @@ static int cinepak_predecode_check (CinepakContext *s)
     num_strips  = AV_RB16 (&s->data[8]);
     encoded_buf_size = AV_RB24(&s->data[1]);
 
+    if (s->size < encoded_buf_size * (int64_t)(100 - s->avctx->discard_damaged_percentage) / 100)
+        return AVERROR_INVALIDDATA;
+
     /* if this is the first frame, check for deviant Sega FILM data */
     if (s->sega_film_skip_bytes == -1) {
         if (!encoded_buf_size) {
@@ -353,6 +356,13 @@ static int cinepak_predecode_check (CinepakContext *s)
     if (s->size < 10 + s->sega_film_skip_bytes + num_strips * 12)
         return AVERROR_INVALIDDATA;
 
+    if (num_strips) {
+        const uint8_t *data = s->data + 10 + s->sega_film_skip_bytes;
+        int strip_size = AV_RB24 (data + 1);
+        if (strip_size < 12 || strip_size > encoded_buf_size)
+            return AVERROR_INVALIDDATA;
+    }
+
     return 0;
 }