X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fdxv.c;h=71d85208d869761d7571f3da307ac0a149bb9fd6;hb=8e4390de48b22cf6dd2307f0c29a3fef7016ef4c;hp=aef5ec19dd6b6970d91fd264698a10ce6bbfde7f;hpb=fda424b300c1a0b991296aa585691609d01196bd;p=ffmpeg

diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index aef5ec19dd6..71d85208d86 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -256,6 +256,8 @@ static int decompress_texture_thread(AVCodecContext *avctx, void *arg,
 #define CHECKPOINT(x)                                                         \
     do {                                                                      \
         if (state == 0) {                                                     \
+            if (bytestream2_get_bytes_left(gbc) < 4)                          \
+                return AVERROR_INVALIDDATA;                                   \
             value = bytestream2_get_le32(gbc);                                \
             state = 16;                                                       \
         }                                                                     \
@@ -743,6 +745,9 @@ static int dxv_decompress_cocg(DXVContext *ctx, GetByteContext *gb,
     int skip0, skip1, oi0 = 0, oi1 = 0;
     int ret, state0 = 0, state1 = 0;
 
+    if (op_offset < 12 || op_offset - 12 > bytestream2_get_bytes_left(gb))
+        return AVERROR_INVALIDDATA;
+
     dst = tex_data;
     bytestream2_skip(gb, op_offset - 12);
     if (op_size0 > max_op_size0)
@@ -750,7 +755,6 @@ static int dxv_decompress_cocg(DXVContext *ctx, GetByteContext *gb,
     skip0 = dxv_decompress_opcodes(gb, op_data0, op_size0);
     if (skip0 < 0)
         return skip0;
-    bytestream2_seek(gb, data_start + op_offset + skip0 - 12, SEEK_SET);
     if (op_size1 > max_op_size1)
         return AVERROR_INVALIDDATA;
     skip1 = dxv_decompress_opcodes(gb, op_data1, op_size1);
@@ -779,7 +783,7 @@ static int dxv_decompress_cocg(DXVContext *ctx, GetByteContext *gb,
             return ret;
     }
 
-    bytestream2_seek(gb, data_start + op_offset + skip0 + skip1 - 12, SEEK_SET);
+    bytestream2_seek(gb, data_start - 12 + op_offset + skip0 + skip1, SEEK_SET);
 
     return 0;
 }
@@ -794,6 +798,9 @@ static int dxv_decompress_yo(DXVContext *ctx, GetByteContext *gb,
     uint8_t *dst, *table0[256] = { 0 }, *table1[256] = { 0 };
     int ret, state = 0, skip, oi = 0, v, vv;
 
+    if (op_offset < 8 || op_offset - 8 > bytestream2_get_bytes_left(gb))
+        return AVERROR_INVALIDDATA;
+
     dst = tex_data;
     bytestream2_skip(gb, op_offset - 8);
     if (op_size > max_op_size)
@@ -860,8 +867,8 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
 {
     DXVContext *ctx = avctx->priv_data;
     GetByteContext *gbc = &ctx->gbc;
-    uint32_t value, op;
-    int idx, prev, state = 0;
+    uint32_t value, op, prev;
+    int idx, state = 0;
     int pos = 4;
     int run = 0;
     int probe, check;
@@ -1052,6 +1059,10 @@ static int dxv_decode(AVCodecContext *avctx, void *data,
     avctx->pix_fmt = AV_PIX_FMT_RGBA;
     avctx->colorspace = AVCOL_SPC_RGB;
 
+    ctx->tex_funct = NULL;
+    ctx->tex_funct_planar[0] = NULL;
+    ctx->tex_funct_planar[1] = NULL;
+
     tag = bytestream2_get_le32(gbc);
     switch (tag) {
     case MKBETAG('D', 'X', 'T', '1'):