X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fmss4.c;h=432df294d69e6655c4f3741c7cd390a82646aee2;hb=634529c40d62e02bacea3a7f91d4226a9e4b3cbc;hp=b58c21be9382379c6d28d56aa7e08ff0f4e90453;hpb=47e12966b75490cfa5fb8ed65a48a9a3d84a7bce;p=ffmpeg

diff --git a/libavcodec/mss4.c b/libavcodec/mss4.c
index b58c21be938..432df294d69 100644
--- a/libavcodec/mss4.c
+++ b/libavcodec/mss4.c
@@ -552,8 +552,13 @@ static int mss4_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                "Empty frame found but it is not a skip frame.\n");
         return AVERROR_INVALIDDATA;
     }
+    mb_width  = FFALIGN(width,  16) >> 4;
+    mb_height = FFALIGN(height, 16) >> 4;
+
+    if (frame_type != SKIP_FRAME && 8*buf_size < 8*HEADER_SIZE + mb_width*mb_height)
+        return AVERROR_INVALIDDATA;
 
-    if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
+    if ((ret = ff_reget_buffer(avctx, c->pic, 0)) < 0)
         return ret;
     c->pic->key_frame = (frame_type == INTRA_FRAME);
     c->pic->pict_type = (frame_type == INTRA_FRAME) ? AV_PICTURE_TYPE_I
@@ -574,9 +579,6 @@ static int mss4_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
 
     if ((ret = init_get_bits8(&gb, buf + HEADER_SIZE, buf_size - HEADER_SIZE)) < 0)
         return ret;
-
-    mb_width  = FFALIGN(width,  16) >> 4;
-    mb_height = FFALIGN(height, 16) >> 4;
     dst[0] = c->pic->data[0];
     dst[1] = c->pic->data[1];
     dst[2] = c->pic->data[2];