X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Ffic.c;h=65d102b86bea25f8bdc982889c50b2277342710b;hb=1046e880884bb5f0da4fb7d50028ff599550245c;hp=c288c9771bfab95cec544aa57b25e8e8dfabb86c;hpb=b4ca32414ea28ad29b4bd387c298f5a676dace2a;p=ffmpeg

diff --git a/libavcodec/fic.c b/libavcodec/fic.c
index c288c9771bf..65d102b86be 100644
--- a/libavcodec/fic.c
+++ b/libavcodec/fic.c
@@ -139,6 +139,9 @@ static int fic_decode_block(FICContext *ctx, GetBitContext *gb,
 {
     int i, num_coeff;
 
+    if (get_bits_left(gb) < 8)
+        return AVERROR_INVALIDDATA;
+
     /* Is it a skip block? */
     if (get_bits1(gb)) {
         *is_p = 1;
@@ -173,9 +176,11 @@ static int fic_decode_slice(AVCodecContext *avctx, void *tdata)
     int slice_h  = tctx->slice_h;
     int src_size = tctx->src_size;
     int y_off    = tctx->y_off;
-    int x, y, p;
+    int x, y, p, ret;
 
-    init_get_bits(&gb, src, src_size * 8);
+    ret = init_get_bits8(&gb, src, src_size);
+    if (ret < 0)
+        return ret;
 
     for (p = 0; p < 3; p++) {
         int stride   = ctx->frame->linesize[p];
@@ -380,6 +385,8 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
             slice_h      = FFALIGN(avctx->height - ctx->slice_h * (nslices - 1), 16);
         } else {
             slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4);
+            if (slice_size < slice_off)
+                return AVERROR_INVALIDDATA;
         }
 
         if (slice_size < slice_off || slice_size > msize)
@@ -469,7 +476,7 @@ static const AVOption options[] = {
 };
 
 static const AVClass fic_decoder_class = {
-    .class_name = "FIC encoder",
+    .class_name = "FIC decoder",
     .item_name  = av_default_item_name,
     .option     = options,
     .version    = LIBAVUTIL_VERSION_INT,