X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Ffmvc.c;h=74e9bdd8a088ddd66c9557cad4524928fcca6bee;hb=752dd1952a7b68094f8b2d5da0ca0df94190cf0e;hp=1f8b0c5c17ca32edb89f4154a6b71ad2b868daf4;hpb=90fe0800fb84d46994c351e0c0ff200a14d27168;p=ffmpeg

diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c
index 1f8b0c5c17c..74e9bdd8a08 100644
--- a/libavcodec/fmvc.c
+++ b/libavcodec/fmvc.c
@@ -459,7 +459,7 @@ static int decode_frame(AVCodecContext *avctx,
             int size, offset, start = 0;
 
             offset = bytestream2_get_le16(gb);
-            if (offset > s->nb_blocks)
+            if (offset >= s->nb_blocks)
                 return AVERROR_INVALIDDATA;
 
             size = bytestream2_get_le16(gb);
@@ -561,6 +561,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
     }
 
     s->nb_blocks = s->xb * s->yb;
+    if (!s->nb_blocks)
+        return AVERROR_INVALIDDATA;
+
     s->blocks = av_calloc(s->nb_blocks, sizeof(*s->blocks));
     if (!s->blocks)
         return AVERROR(ENOMEM);
@@ -593,8 +596,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
     s->bpp = avctx->bits_per_coded_sample >> 3;
     s->buffer_size = avctx->width * avctx->height * 4;
     s->pbuffer_size = avctx->width * avctx->height * 4;
-    s->buffer = av_malloc(s->buffer_size);
-    s->pbuffer = av_malloc(s->pbuffer_size);
+    s->buffer = av_mallocz(s->buffer_size);
+    s->pbuffer = av_mallocz(s->pbuffer_size);
     if (!s->buffer || !s->pbuffer)
         return AVERROR(ENOMEM);