X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fg2meet.c;h=731d29a5d4a78b5750873d7205674fa214669855;hb=e8344f21e16b7043411830cea99304169127dacf;hp=a1dec8d823d95f6a0c54ccc0afac8120ddcd34f4;hpb=4069096dd535ee99175c2a29c1a1f59c3fc110c1;p=ffmpeg

diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c
index a1dec8d823d..731d29a5d4a 100644
--- a/libavcodec/g2meet.c
+++ b/libavcodec/g2meet.c
@@ -244,6 +244,9 @@ static int jpg_decode_block(JPGContext *c, GetBitContext *gb,
     const int is_chroma = !!plane;
     const uint8_t *qmat = is_chroma ? chroma_quant : luma_quant;
 
+    if (get_bits_left(gb) < 1)
+        return AVERROR_INVALIDDATA;
+
     c->bdsp.clear_block(block);
     dc = get_vlc2(gb, c->dc_vlc[is_chroma].table, 9, 3);
     if (dc < 0)
@@ -854,6 +857,9 @@ static int epic_decode_tile(ePICContext *dc, uint8_t *out, int tile_height,
                     uint32_t ref_pix = curr_row[x - 1];
                     if (!x || !epic_decode_from_cache(dc, ref_pix, &pix)) {
                         pix = epic_decode_pixel_pred(dc, x, y, curr_row, above_row);
+                        if (is_pixel_on_stack(dc, pix))
+                            return AVERROR_INVALIDDATA;
+
                         if (x) {
                             int ret = epic_add_pixel_to_cache(&dc->hash,
                                                               ref_pix,