X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fgdv.c;h=2be1e2ea7fd1e9f7fa437573db2b9337f7971862;hb=6eab25fd1369e52930a19eaf0f3338bbd84e5e7b;hp=c5d80f43f63124f834235cd3e912901ee67b316c;hpb=ebdc5c419aef0d9eed8c1ec57b30238194c1db0a;p=ffmpeg

diff --git a/libavcodec/gdv.c b/libavcodec/gdv.c
index c5d80f43f63..2be1e2ea7fd 100644
--- a/libavcodec/gdv.c
+++ b/libavcodec/gdv.c
@@ -294,6 +294,8 @@ static int decompress_5(AVCodecContext *avctx, unsigned skip)
 
     while (bytestream2_get_bytes_left_p(pb) > 0 && bytestream2_get_bytes_left(gb) > 0) {
         int tag = read_bits2(&bits, gb);
+        if (bytestream2_get_bytes_left(gb) < 1)
+            return AVERROR_INVALIDDATA;
         if (tag == 0) {
             bytestream2_put_byte(pb, bytestream2_get_byte(gb));
         } else if (tag == 1) {
@@ -306,7 +308,7 @@ static int decompress_5(AVCodecContext *avctx, unsigned skip)
             int len;
             int b = bytestream2_get_byte(gb);
             if (b == 0) {
-                break;
+                return 0;
             }
             if (b != 0xFF) {
                 len = b;
@@ -321,6 +323,8 @@ static int decompress_5(AVCodecContext *avctx, unsigned skip)
             lz_copy(pb, g2, off, len);
         }
     }
+    if (bytestream2_get_bytes_left_p(pb) > 0)
+        return AVERROR_INVALIDDATA;
     return 0;
 }
 
@@ -354,7 +358,8 @@ static int decompress_68(AVCodecContext *avctx, unsigned skip, unsigned use8)
                     if (val != ((1 << lbits) - 1)) {
                         break;
                     }
-                    assert(lbits < 16);
+                    if (lbits >= 16)
+                        return AVERROR_INVALIDDATA;
                 }
                 for (i = 0; i < len; i++) {
                     bytestream2_put_byte(pb, bytestream2_get_byte(gb));
@@ -443,6 +448,9 @@ static int decompress_68(AVCodecContext *avctx, unsigned skip, unsigned use8)
         }
     }
 
+    if (bytestream2_get_bytes_left_p(pb) > 0)
+        return AVERROR_INVALIDDATA;
+
     return 0;
 }
 
@@ -473,6 +481,8 @@ static int gdv_decode_frame(AVCodecContext *avctx, void *data,
     if (pal && pal_size == AVPALETTE_SIZE)
         memcpy(gdv->pal, pal, AVPALETTE_SIZE);
 
+    if (compression < 2 && bytestream2_get_bytes_left(gb) < 256*3)
+        return AVERROR_INVALIDDATA;
     rescale(gdv, gdv->frame, avctx->width, avctx->height,
             !!(flags & 0x10), !!(flags & 0x20));
 
@@ -480,8 +490,6 @@ static int gdv_decode_frame(AVCodecContext *avctx, void *data,
     case 1:
         memset(gdv->frame + PREAMBLE_SIZE, 0, gdv->frame_size - PREAMBLE_SIZE);
     case 0:
-        if (bytestream2_get_bytes_left(gb) < 256*3)
-            return AVERROR_INVALIDDATA;
         for (i = 0; i < 256; i++) {
             unsigned r = bytestream2_get_byte(gb);
             unsigned g = bytestream2_get_byte(gb);
@@ -543,7 +551,7 @@ static int gdv_decode_frame(AVCodecContext *avctx, void *data,
 
     *got_frame = 1;
 
-    return ret < 0 ? ret : avpkt->size;
+    return avpkt->size;
 }
 
 static av_cold int gdv_decode_close(AVCodecContext *avctx)