X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Frv10.c;h=e594160fead232bc2842a860c206281b83b05f1b;hb=1ab3ae6fd5b1866aa42cfc0c5d79700adb7281d8;hp=595e2175190abc17656c932f6f2c5df877b34327;hpb=7167ac33a8f2c7d063384c267f984f23d2b73854;p=ffmpeg

diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index 595e2175190..e594160fead 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -388,9 +388,9 @@ static int rv20_decode_picture_header(RVDecContext *rv)
             // attempt to keep aspect during typical resolution switches
             if (!old_aspect.num)
                 old_aspect = (AVRational){1, 1};
-            if (2 * new_w * s->height == new_h * s->width)
+            if (2 * (int64_t)new_w * s->height == (int64_t)new_h * s->width)
                 s->avctx->sample_aspect_ratio = av_mul_q(old_aspect, (AVRational){2, 1});
-            if (new_w * s->height == 2 * new_h * s->width)
+            if ((int64_t)new_w * s->height == 2 * (int64_t)new_h * s->width)
                 s->avctx->sample_aspect_ratio = av_mul_q(old_aspect, (AVRational){1, 2});
 
             ret = ff_set_dimensions(s->avctx, new_w, new_h);
@@ -550,7 +550,7 @@ static av_cold int rv10_decode_end(AVCodecContext *avctx)
 }
 
 static int rv10_decode_packet(AVCodecContext *avctx, const uint8_t *buf,
-                              int buf_size, int buf_size2)
+                              int buf_size, int buf_size2, int whole_size)
 {
     RVDecContext *rv = avctx->priv_data;
     MpegEncContext *s = &rv->m;
@@ -580,6 +580,9 @@ static int rv10_decode_packet(AVCodecContext *avctx, const uint8_t *buf,
         return AVERROR_INVALIDDATA;
     }
 
+    if (whole_size < s->mb_width * s->mb_height / 8)
+        return AVERROR_INVALIDDATA;
+
     if ((s->mb_x == 0 && s->mb_y == 0) || !s->current_picture_ptr) {
         // FIXME write parser so we always have complete frames?
         if (s->current_picture_ptr) {
@@ -646,7 +649,7 @@ static int rv10_decode_packet(AVCodecContext *avctx, const uint8_t *buf,
 
         // Repeat the slice end check from ff_h263_decode_mb with our active
         // bitstream size
-        if (ret != SLICE_ERROR) {
+        if (ret != SLICE_ERROR && active_bits_size >= get_bits_count(&s->gb)) {
             int v = show_bits(&s->gb, 16);
 
             if (get_bits_count(&s->gb) + 16 > active_bits_size)
@@ -754,7 +757,7 @@ static int rv10_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             offset + FFMAX(size, size2) > buf_size)
             return AVERROR_INVALIDDATA;
 
-        if ((ret = rv10_decode_packet(avctx, buf + offset, size, size2)) < 0)
+        if ((ret = rv10_decode_packet(avctx, buf + offset, size, size2, buf_size)) < 0)
             return ret;
 
         if (ret > 8 * size)
@@ -798,6 +801,7 @@ AVCodec ff_rv10_decoder = {
     .close          = rv10_decode_end,
     .decode         = rv10_decode_frame,
     .capabilities   = AV_CODEC_CAP_DR1,
+    .caps_internal  = FF_CODEC_CAP_INIT_CLEANUP,
     .max_lowres     = 3,
     .pix_fmts       = (const enum AVPixelFormat[]) {
         AV_PIX_FMT_YUV420P,
@@ -815,6 +819,7 @@ AVCodec ff_rv20_decoder = {
     .close          = rv10_decode_end,
     .decode         = rv10_decode_frame,
     .capabilities   = AV_CODEC_CAP_DR1 | AV_CODEC_CAP_DELAY,
+    .caps_internal  = FF_CODEC_CAP_INIT_CLEANUP,
     .flush          = ff_mpeg_flush,
     .max_lowres     = 3,
     .pix_fmts       = (const enum AVPixelFormat[]) {