X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Frv10.c;h=3b41d30b92b8b2da0aa286ab2bb94ad19fa54dc9;hb=e38b8b0dc6eb1011ec814bcadf5ece015eb250eb;hp=595e2175190abc17656c932f6f2c5df877b34327;hpb=64425e005edf3bdd77c34c078c3e74ab5ecef557;p=ffmpeg

diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index 595e2175190..3b41d30b92b 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -388,9 +388,9 @@ static int rv20_decode_picture_header(RVDecContext *rv)
             // attempt to keep aspect during typical resolution switches
             if (!old_aspect.num)
                 old_aspect = (AVRational){1, 1};
-            if (2 * new_w * s->height == new_h * s->width)
+            if (2 * (int64_t)new_w * s->height == (int64_t)new_h * s->width)
                 s->avctx->sample_aspect_ratio = av_mul_q(old_aspect, (AVRational){2, 1});
-            if (new_w * s->height == 2 * new_h * s->width)
+            if ((int64_t)new_w * s->height == 2 * (int64_t)new_h * s->width)
                 s->avctx->sample_aspect_ratio = av_mul_q(old_aspect, (AVRational){1, 2});
 
             ret = ff_set_dimensions(s->avctx, new_w, new_h);
@@ -550,7 +550,7 @@ static av_cold int rv10_decode_end(AVCodecContext *avctx)
 }
 
 static int rv10_decode_packet(AVCodecContext *avctx, const uint8_t *buf,
-                              int buf_size, int buf_size2)
+                              int buf_size, int buf_size2, int whole_size)
 {
     RVDecContext *rv = avctx->priv_data;
     MpegEncContext *s = &rv->m;
@@ -580,6 +580,9 @@ static int rv10_decode_packet(AVCodecContext *avctx, const uint8_t *buf,
         return AVERROR_INVALIDDATA;
     }
 
+    if (whole_size < s->mb_width * s->mb_height / 8)
+        return AVERROR_INVALIDDATA;
+
     if ((s->mb_x == 0 && s->mb_y == 0) || !s->current_picture_ptr) {
         // FIXME write parser so we always have complete frames?
         if (s->current_picture_ptr) {
@@ -646,7 +649,7 @@ static int rv10_decode_packet(AVCodecContext *avctx, const uint8_t *buf,
 
         // Repeat the slice end check from ff_h263_decode_mb with our active
         // bitstream size
-        if (ret != SLICE_ERROR) {
+        if (ret != SLICE_ERROR && active_bits_size >= get_bits_count(&s->gb)) {
             int v = show_bits(&s->gb, 16);
 
             if (get_bits_count(&s->gb) + 16 > active_bits_size)
@@ -754,7 +757,7 @@ static int rv10_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             offset + FFMAX(size, size2) > buf_size)
             return AVERROR_INVALIDDATA;
 
-        if ((ret = rv10_decode_packet(avctx, buf + offset, size, size2)) < 0)
+        if ((ret = rv10_decode_packet(avctx, buf + offset, size, size2, buf_size)) < 0)
             return ret;
 
         if (ret > 8 * size)