X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Floco.c;h=99e3a1d021d39443fccf19c66e5abfb12873bfa5;hb=30f7021aa0be2c978aefb73894b643c9bafbf51c;hp=741db3bdcece517cb6b0216a32f3d7e4b5f1aac0;hpb=ebdc5c419aef0d9eed8c1ec57b30238194c1db0a;p=ffmpeg

diff --git a/libavcodec/loco.c b/libavcodec/loco.c
index 741db3bdcec..99e3a1d021d 100644
--- a/libavcodec/loco.c
+++ b/libavcodec/loco.c
@@ -82,12 +82,14 @@ static inline void loco_update_rice_param(RICEContext *r, int val)
 
 static inline int loco_get_rice(RICEContext *r)
 {
-    int v;
+    unsigned v;
     if (r->run > 0) { /* we have zero run */
         r->run--;
         loco_update_rice_param(r, 0);
         return 0;
     }
+    if (get_bits_left(&r->gb) < 1)
+        return INT_MIN;
     v = get_ur_golomb_jpegls(&r->gb, loco_get_rice_param(r), INT_MAX, 0);
     loco_update_rice_param(r, (v + 1) >> 1);
     if (!v) {
@@ -129,7 +131,7 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh
                              int stride, const uint8_t *buf, int buf_size)
 {
     RICEContext rc;
-    int val;
+    unsigned val;
     int ret;
     int i, j;
 
@@ -153,16 +155,22 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh
     /* restore top line */
     for (i = 1; i < width; i++) {
         val = loco_get_rice(&rc);
+        if (val == INT_MIN)
+           return AVERROR_INVALIDDATA;
         data[i] = data[i - 1] + val;
     }
     data += stride;
     for (j = 1; j < height; j++) {
         /* restore left column */
         val = loco_get_rice(&rc);
+        if (val == INT_MIN)
+           return AVERROR_INVALIDDATA;
         data[0] = data[-stride] + val;
         /* restore all other pixels */
         for (i = 1; i < width; i++) {
             val = loco_get_rice(&rc);
+            if (val == INT_MIN)
+                return -1;
             data[i] = loco_predict(&data[i], stride) + val;
         }
         data += stride;
@@ -295,6 +303,11 @@ static av_cold int decode_init(AVCodecContext *avctx)
         avpriv_request_sample(avctx, "LOCO codec version %i", version);
     }
 
+    if (l->lossy > 65536U) {
+        av_log(avctx, AV_LOG_ERROR, "lossy %i is too large\n", l->lossy);
+        return AVERROR_INVALIDDATA;
+    }
+
     l->mode = AV_RL32(avctx->extradata + 4);
     switch (l->mode) {
     case LOCO_CYUY2:
@@ -333,4 +346,5 @@ AVCodec ff_loco_decoder = {
     .init           = decode_init,
     .decode         = decode_frame,
     .capabilities   = AV_CODEC_CAP_DR1,
+    .caps_internal  = FF_CODEC_CAP_INIT_THREADSAFE,
 };