X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fdxv.c;h=aef5ec19dd6b6970d91fd264698a10ce6bbfde7f;hb=0dda0f3bdb7e8a2d5bef7457375f72f38a100ccb;hp=08aca73b1fd8b8f6de42f17293b6738a201f472b;hpb=250792be5e905cbcfd0b4858e57de9b007e74e44;p=ffmpeg

diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 08aca73b1fd..aef5ec19dd6 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -426,7 +426,8 @@ static int fill_optable(unsigned *table0, OpcodeTable *table1, int nb_elements)
 static int get_opcodes(GetByteContext *gb, uint32_t *table, uint8_t *dst, int op_size, int nb_elements)
 {
     OpcodeTable optable[1024];
-    int sum, x, val, lshift, rshift, ret, size_in_bits, i, idx;
+    int sum, x, val, lshift, rshift, ret, i, idx;
+    int64_t size_in_bits;
     unsigned endoffset, newoffset, offset;
     unsigned next;
     uint8_t *src = (uint8_t *)gb->buffer;
@@ -1192,6 +1193,12 @@ static int dxv_decode(AVCodecContext *avctx, void *data,
     ret = decompress_tex(avctx);
     if (ret < 0)
         return ret;
+    {
+        int w_block = avctx->coded_width / ctx->texture_block_w;
+        int h_block = avctx->coded_height / ctx->texture_block_h;
+        if (w_block * h_block * ctx->tex_step > ctx->tex_size * 8LL)
+            return AVERROR_INVALIDDATA;
+    }
 
     tframe.f = data;
     ret = ff_thread_get_buffer(avctx, &tframe, 0);