X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fituh263dec.c;h=c1005b0994ff6860132943488388be6c5f782ad0;hb=c0d3fea6000bae5937df6f5744e1dfdd3ab83795;hp=1b57e53cad9ff934dde788562b61b9748e8e5d72;hpb=29929fc8e2449d2db8bd144b2badc8d1e6347412;p=ffmpeg

diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c
index 1b57e53cad9..c1005b0994f 100644
--- a/libavcodec/ituh263dec.c
+++ b/libavcodec/ituh263dec.c
@@ -222,7 +222,7 @@ int ff_h263_resync(MpegEncContext *s){
             get_bits(&s->gb, 8);
         }
 
-        if (show_bits_long(&s->gb, 32) == SLICE_START_CODE)
+        if (get_bits_left(&s->gb) >= 32 && show_bits_long(&s->gb, 32) == SLICE_START_CODE)
             return get_bits_count(&s->gb);
         else
             return -1;
@@ -1218,6 +1218,11 @@ int ff_h263_decode_picture_header(MpegEncContext *s)
     if ((ret = av_image_check_size(s->width, s->height, 0, s)) < 0)
         return ret;
 
+    if (!(s->avctx->flags2 & AV_CODEC_FLAG2_CHUNKS)) {
+        if ((s->width * s->height / 256 / 8) > get_bits_left(&s->gb))
+            return AVERROR_INVALIDDATA;
+    }
+
     s->mb_width = (s->width  + 15) / 16;
     s->mb_height = (s->height  + 15) / 16;
     s->mb_num = s->mb_width * s->mb_height;
@@ -1281,7 +1286,7 @@ int ff_h263_decode_picture_header(MpegEncContext *s)
         for(i=0; i<13; i++){
             for(j=0; j<3; j++){
                 int v= get_bits(&s->gb, 8);
-                v |= get_sbits(&s->gb, 8)<<8;
+                v |= get_sbits(&s->gb, 8) * (1 << 8);
                 av_log(s->avctx, AV_LOG_DEBUG, " %5d", v);
             }
             av_log(s->avctx, AV_LOG_DEBUG, "\n");