X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fscpr3.c;h=78c58889cbd8b62796f83375ba32cc50a357734b;hb=eb6ea948ed2f86361ae0b9d8689368d466b8337f;hp=f92ccfa90262e6294fda2668b38f0a382bfa7cbd;hpb=8f63fa4c2ec1cbdc92d3ebe29ff5b498e4acafdb;p=ffmpeg

diff --git a/libavcodec/scpr3.c b/libavcodec/scpr3.c
index f92ccfa9026..78c58889cbd 100644
--- a/libavcodec/scpr3.c
+++ b/libavcodec/scpr3.c
@@ -234,6 +234,8 @@ static int update_model6_to_7(PixelModel3 *m)
         }
         p = (e + 127) >> 7;
         k = ((f + e - 1) >> 7) + 1;
+        if (k > FF_ARRAY_ELEMS(n.dectab))
+            return AVERROR_INVALIDDATA;
         for (i = 0; i < k - p; i++)
             n.dectab[p + i] = j;
         e += f;
@@ -522,32 +524,16 @@ static int update_model1_to_4(PixelModel3 *m, uint32_t val)
 
 static int update_model1_to_5(PixelModel3 *m, uint32_t val)
 {
-    PixelModel3 n = {0};
     int i, size, freqs;
     uint32_t a;
 
+    update_model1_to_4(m, val);
     size = m->size;
-    n.size = size;
-    for (i = 0; i < size; i++) {
-        n.symbols[i] = m->symbols[i];
-    }
-    AV_QSORT(n.symbols, size, uint8_t, cmpbytes);
-    size = n.size;
-    for (i = 0; i < size; i++) {
-        if (val == n.symbols[i]) {
-            n.freqs[i] = 100;
-            n.maxpos = i;
-        } else {
-            n.freqs[i] = 50;
-        }
-    }
     a = 256 - size;
     for (i = 0; i < size; i++, a += freqs)
-        freqs = n.freqs[i];
-    n.type = 5;
-    n.cntsum = a;
-
-    memcpy(m, &n, sizeof(n));
+        freqs = m->freqs[i];
+    m->type = 5;
+    m->cntsum = a;
 
     return 0;
 }
@@ -702,7 +688,11 @@ static int update_model3_to_7(PixelModel3 *m, uint8_t value)
         e = d;
         n.cntsum += n.cnts[e];
         n.freqs1[e] = c;
-        for (g = n.freqs[e], q = c + 128 - 1 >> 7, f = (c + g - 1 >> 7) + 1; q < f; q++) {
+        g = n.freqs[e];
+        f = (c + g - 1 >> 7) + 1;
+        if (f > FF_ARRAY_ELEMS(n.dectab))
+            return AVERROR_INVALIDDATA;
+        for (q = c + 128 - 1 >> 7; q < f; q++) {
             n.dectab[q] = e;
         }
         c += g;
@@ -837,6 +827,7 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t
     uint16_t a = 0, b = 0;
     uint32_t param;
     int type;
+    int ret;
 
     type = m->type;
     switch (type) {
@@ -859,7 +850,9 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t
         break;
     case 3:
         *value = bytestream2_get_byte(&s->gb);
-        decode_static3(m, *value);
+        ret = decode_static3(m, *value);
+        if (ret < 0)
+            return AVERROR_INVALIDDATA;
         sync_code3(gb, rc);
         break;
     case 4:
@@ -877,7 +870,9 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t
         break;
     case 6:
         if (!decode_adaptive6(m, code, value, &a, &b)) {
-            update_model6_to_7(m);
+            ret = update_model6_to_7(m);
+            if (ret < 0)
+                return AVERROR_INVALIDDATA;
         }
         decode3(gb, rc, a, b);
         sync_code3(gb, rc);
@@ -1007,7 +1002,7 @@ static int decompress_i3(AVCodecContext *avctx, uint32_t *dst, int linesize)
         ret = decode_run_i(avctx, ptype, run, &x, &y, clr,
                            dst, linesize, &lx, &ly,
                            backstep, off, &cx, &cx1);
-        if (run < 0)
+        if (ret < 0)
             return ret;
     }
 
@@ -1038,6 +1033,9 @@ static int decompress_p3(AVCodecContext *avctx,
                          s->range_model3.freqs[1],
                          s->range_model3.cnts,
                          s->range_model3.dectab, &temp);
+    if (ret < 0)
+        return ret;
+
     min += temp << 8;
     ret |= decode_value3(s, 255, &s->range_model3.cntsum,
                          s->range_model3.freqs[0],