X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fhq_hqa.c;h=8404e80ec8ed90a8971c1689b2248a9e7c82ecfa;hb=5663301560d77486c7f7c03c1aa5f542fab23c24;hp=ec9da3e04fdad66f9e4743783ce2f3e2f248e0c2;hpb=2ac399d7faa5ac80088715780769522d1141b549;p=ffmpeg

diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c
index ec9da3e04fd..8404e80ec8e 100644
--- a/libavcodec/hq_hqa.c
+++ b/libavcodec/hq_hqa.c
@@ -248,13 +248,18 @@ static int hqa_decode_frame(HQContext *ctx, AVFrame *pic, size_t data_size)
     int width, height, quant;
     const uint8_t *src = ctx->gbc.buffer;
 
+    if (bytestream2_get_bytes_left(&ctx->gbc) < 8 + 4*(num_slices + 1))
+        return AVERROR_INVALIDDATA;
+
     width  = bytestream2_get_be16(&ctx->gbc);
     height = bytestream2_get_be16(&ctx->gbc);
 
+    ret = ff_set_dimensions(ctx->avctx, width, height);
+    if (ret < 0)
+        return ret;
+
     ctx->avctx->coded_width         = FFALIGN(width,  16);
     ctx->avctx->coded_height        = FFALIGN(height, 16);
-    ctx->avctx->width               = width;
-    ctx->avctx->height              = height;
     ctx->avctx->bits_per_raw_sample = 8;
     ctx->avctx->pix_fmt             = AV_PIX_FMT_YUVA422P;
 
@@ -316,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data,
         int info_size;
         bytestream2_skip(&ctx->gbc, 4);
         info_size = bytestream2_get_le32(&ctx->gbc);
-        if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
+        if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
             av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size);
             return AVERROR_INVALIDDATA;
         }