X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Findeo3.c;h=1bb73fe790376de24b786fb5ef687b3c7771332c;hb=e4de71677f3adeac0f74b89ac8df5d417364df2c;hp=6d3c3cc77536e32f1ca72fccc2cbe4439f0934b0;hpb=13b7781ec8d475513c1ee40a6e481763b728a71e;p=ffmpeg

diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 6d3c3cc7753..1bb73fe7903 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -226,8 +226,11 @@ static void copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell)
     /* setup output and reference pointers */
     offset_dst  = (cell->ypos << 2) * plane->pitch + (cell->xpos << 2);
     dst         = plane->pixels[ctx->buf_sel] + offset_dst;
+    if(cell->mv_ptr){
     mv_y        = cell->mv_ptr[0];
     mv_x        = cell->mv_ptr[1];
+    }else
+        mv_x= mv_y= 0;
     offset      = offset_dst + mv_y * plane->pitch + mv_x;
     src         = plane->pixels[ctx->buf_sel ^ 1] + offset;
 
@@ -444,7 +447,7 @@ static int decode_cell_data(Cell *cell, uint8_t *block, uint8_t *ref_block,
                             BUFFER_PRECHECK;
                             dyad1 = bytestream_get_byte(data_ptr);
                             dyad2 = code;
-                            if (dyad1 > delta_tab->num_dyads || dyad1 >= 248)
+                            if (dyad1 >= delta_tab->num_dyads || dyad1 >= 248)
                                 return IV3_BAD_DATA;
                         } else {
                             /* process QUADS */
@@ -733,7 +736,7 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
         ref_cell->width -= curr_cell.width;
     }
 
-    while (1) { /* loop until return */
+    while (get_bits_left(&ctx->gb) >= 2) { /* loop until return */
         RESYNC_BITSTREAM;
         switch (code = get_bits(&ctx->gb, 2)) {
         case H_SPLIT:
@@ -756,6 +759,8 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
                     av_log(avctx, AV_LOG_ERROR, "SkipCell procedure not implemented yet!\n");
 
                 CHECK_CELL
+                if (!curr_cell.mv_ptr)
+                    return AVERROR_INVALIDDATA;
                 copy_cell(ctx, plane, &curr_cell);
                 return 0;
             }
@@ -786,7 +791,7 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
         }
     }//while
 
-    return 0;
+    return AVERROR_INVALIDDATA;
 }
 
 
@@ -795,15 +800,19 @@ static int decode_plane(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
                         int32_t strip_width)
 {
     Cell            curr_cell;
-    int             num_vectors;
+    uint32_t        num_vectors;
 
     /* each plane data starts with mc_vector_count field, */
     /* an optional array of motion vectors followed by the vq data */
     num_vectors = bytestream_get_le32(&data);
+    if(num_vectors >= data_size/2)
+        return AVERROR_INVALIDDATA;
     ctx->mc_vectors  = num_vectors ? data : 0;
+    data     += num_vectors * 2;
+    data_size-= num_vectors * 2;
 
     /* init the bitreader */
-    init_get_bits(&ctx->gb, &data[num_vectors * 2], data_size << 3);
+    init_get_bits(&ctx->gb, data, data_size << 3);
     ctx->skip_bits   = 0;
     ctx->need_resync = 0;