X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fdsicinvideo.c;h=52f660fb5134a38764a4f087ec023c6886d84e91;hb=eb6ea948ed2f86361ae0b9d8689368d466b8337f;hp=add7afa383170f808e29d0d6fa22c1544ab6a1bb;hpb=942217b153a9bff2d17463957abd772fcd72b400;p=ffmpeg

diff --git a/libavcodec/dsicinvideo.c b/libavcodec/dsicinvideo.c
index add7afa3831..52f660fb513 100644
--- a/libavcodec/dsicinvideo.c
+++ b/libavcodec/dsicinvideo.c
@@ -58,7 +58,6 @@ static av_cold int allocate_buffers(CinVideoContext *cin)
         cin->bitmap_table[i] = av_mallocz(cin->bitmap_size);
         if (!cin->bitmap_table[i]) {
             av_log(cin->avctx, AV_LOG_ERROR, "Can't allocate bitmap buffers.\n");
-            destroy_buffers(cin);
             return AVERROR(ENOMEM);
         }
     }
@@ -158,6 +157,9 @@ static int cin_decode_lzss(const unsigned char *src, int src_size,
         }
     }
 
+    if (dst_end - dst > dst_size - dst_size/10)
+        return AVERROR_INVALIDDATA;
+
     return 0;
 }
 
@@ -184,6 +186,10 @@ static int cin_decode_rle(const unsigned char *src, int src_size,
         }
         dst += len;
     }
+
+    if (dst_end - dst > dst_size - dst_size/10)
+        return AVERROR_INVALIDDATA;
+
     return 0;
 }
 
@@ -259,8 +265,11 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
                              cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
         break;
     case 37:
-        cin_decode_huffman(buf, bitmap_frame_size,
+        res = cin_decode_huffman(buf, bitmap_frame_size,
                            cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+
+        if (cin->bitmap_size - avctx->discard_damaged_percentage*cin->bitmap_size/100 > res)
+            return AVERROR_INVALIDDATA;
         break;
     case 38:
         res = cin_decode_lzss(buf, bitmap_frame_size,
@@ -280,7 +289,7 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
         break;
     }
 
-    if ((res = ff_reget_buffer(avctx, cin->frame)) < 0)
+    if ((res = ff_reget_buffer(avctx, cin->frame, 0)) < 0)
         return res;
 
     memcpy(cin->frame->data[1], cin->palette, sizeof(cin->palette));
@@ -321,5 +330,6 @@ AVCodec ff_dsicinvideo_decoder = {
     .init           = cinvideo_decode_init,
     .close          = cinvideo_decode_end,
     .decode         = cinvideo_decode_frame,
+    .caps_internal  = FF_CODEC_CAP_INIT_CLEANUP,
     .capabilities   = AV_CODEC_CAP_DR1,
 };