X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fg2meet.c;h=6b870ae3d44cfde8cc5576f74665c2c7b7f07aa1;hb=57eee75c3fd075e555df122f1abc45ca636a2726;hp=a1dec8d823d95f6a0c54ccc0afac8120ddcd34f4;hpb=41cd5af3250ef976f0a48adeb6dbccc9b2683e58;p=ffmpeg diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index a1dec8d823d..6b870ae3d44 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -244,6 +244,9 @@ static int jpg_decode_block(JPGContext *c, GetBitContext *gb, const int is_chroma = !!plane; const uint8_t *qmat = is_chroma ? chroma_quant : luma_quant; + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; + c->bdsp.clear_block(block); dc = get_vlc2(gb, c->dc_vlc[is_chroma].table, 9, 3); if (dc < 0) @@ -557,7 +560,7 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int x, int y, } if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) { - avpriv_request_sample(NULL, "RGB %d %d %d is out of range\n", R, G, B); + avpriv_request_sample(NULL, "RGB %d %d %d (out of range)", R, G, B); return 0; } @@ -854,6 +857,9 @@ static int epic_decode_tile(ePICContext *dc, uint8_t *out, int tile_height, uint32_t ref_pix = curr_row[x - 1]; if (!x || !epic_decode_from_cache(dc, ref_pix, &pix)) { pix = epic_decode_pixel_pred(dc, x, y, curr_row, above_row); + if (is_pixel_on_stack(dc, pix)) + return AVERROR_INVALIDDATA; + if (x) { int ret = epic_add_pixel_to_cache(&dc->hash, ref_pix, @@ -911,6 +917,11 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y, awidth = FFALIGN(tile_width, 16); aheight = FFALIGN(tile_height, 16); + if (tile_width > (1 << FF_ARRAY_ELEMS(c->ec.prev_row_rung))) { + avpriv_request_sample(avctx, "large tile width"); + return AVERROR_INVALIDDATA; + } + if (els_dsize) { int ret, i, j, k; uint8_t tr_r, tr_g, tr_b, *buf;