X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fclearvideo.c;h=a9fa0228bd92f02cd5fa150c1ae365a09178273e;hb=c996374d4d86e0efbef71812448b4c65656bc667;hp=060affeafd63c7639602f75a53f5c4566db9c70e;hpb=f089e02fa2b7716d9fa5228c734e55678437db85;p=ffmpeg

diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c
index 060affeafd6..a9fa0228bd9 100644
--- a/libavcodec/clearvideo.c
+++ b/libavcodec/clearvideo.c
@@ -189,8 +189,8 @@ static inline int decode_block(CLVContext *ctx, int16_t *blk, int has_ac,
     const int t7 = ((blk[0 * step] - blk[4 * step]) * (1 << dshift)) + bias;  \
     const int t8 = t0 + t2;                                             \
     const int t9 = t0 - t2;                                             \
-    const int tA = 181 * (t9 + (t1 - t3)) + 0x80 >> 8;                  \
-    const int tB = 181 * (t9 - (t1 - t3)) + 0x80 >> 8;                  \
+    const int tA = (int)(181U * (t9 + (t1 - t3)) + 0x80) >> 8;          \
+    const int tB = (int)(181U * (t9 - (t1 - t3)) + 0x80) >> 8;          \
     const int tC = t1 + t3;                                             \
                                                                         \
     blk[0 * step] = (t6 + t5 + t8) >> shift;                            \
@@ -297,6 +297,11 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data,
     c->pic->pict_type = frame_type & 0x20 ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P;
 
     if (frame_type & 0x2) {
+        if (buf_size < c->mb_width * c->mb_height) {
+            av_log(avctx, AV_LOG_ERROR, "Packet too small\n");
+            return AVERROR_INVALIDDATA;
+        }
+
         bytestream2_get_be32(&gb); // frame size;
         c->ac_quant        = bytestream2_get_byte(&gb);
         c->luma_dc_quant   = 32;