X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fmss12.c;h=5a5bd9a91b6620f9a1297d8f00e68838aade1d03;hb=9badc602928a2e14797e4d0e4a20770e42932b7d;hp=3b1a3029e07cc2dd0198f9dd5af294a7d53b5ecb;hpb=34a0a9746b2f441db7c45983838a88aa87a33834;p=ffmpeg

diff --git a/libavcodec/mss12.c b/libavcodec/mss12.c
index 3b1a3029e07..5a5bd9a91b6 100644
--- a/libavcodec/mss12.c
+++ b/libavcodec/mss12.c
@@ -161,6 +161,8 @@ static av_always_inline int decode_pixel(ArithCoder *acoder, PixContext *pctx,
 {
     int i, val, pix;
 
+    if (acoder->overread > MAX_OVERREAD)
+        return AVERROR_INVALIDDATA;
     val = acoder->get_model_sym(acoder, &pctx->cache_model);
     if (val < pctx->num_syms) {
         if (any_ngb) {
@@ -306,6 +308,8 @@ static int decode_region(ArithCoder *acoder, uint8_t *dst, uint8_t *rgb_pic,
             else
                 p = decode_pixel_in_context(acoder, pctx, dst + i, stride,
                                             i, j, width - i - 1);
+            if (p < 0)
+                return p;
             dst[i] = p;
 
             if (rgb_pic)
@@ -398,6 +402,8 @@ static int decode_region_masked(MSS12Context const *c, ArithCoder *acoder,
                 else
                     p = decode_pixel_in_context(acoder, pctx, dst + i, stride,
                                                 i, j, width - i - 1);
+                if (p < 0)
+                    return p;
                 dst[i] = p;
                 if (c->rgb_pic)
                     AV_WB24(rgb_dst + i * 3, c->pal[p]);
@@ -473,6 +479,8 @@ static int decode_region_intra(SliceContext *sc, ArithCoder *acoder,
         uint8_t *rgb_dst = c->rgb_pic + x * 3 + y * rgb_stride;
 
         pix     = decode_pixel(acoder, &sc->intra_pix_ctx, NULL, 0, 0);
+        if (pix < 0)
+            return pix;
         rgb_pix = c->pal[pix];
         for (i = 0; i < height; i++, dst += stride, rgb_dst += rgb_stride) {
             memset(dst, pix, width);
@@ -499,6 +507,8 @@ static int decode_region_inter(SliceContext *sc, ArithCoder *acoder,
 
     if (!mode) {
         mode = decode_pixel(acoder, &sc->inter_pix_ctx, NULL, 0, 0);
+        if (mode < 0)
+            return mode;
 
         if (c->avctx->err_recognition & AV_EF_EXPLODE &&
             ( c->rgb_pic && mode != 0x01 && mode != 0x02 && mode != 0x04 ||
@@ -530,6 +540,8 @@ int ff_mss12_decode_rect(SliceContext *sc, ArithCoder *acoder,
                          int x, int y, int width, int height)
 {
     int mode, pivot;
+    if (acoder->overread > MAX_OVERREAD)
+        return AVERROR_INVALIDDATA;
 
     mode = acoder->get_model_sym(acoder, &sc->split_mode);