X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fsnowdec.c;h=bcb346906290df26b9e3dcd0255b8ce69e8f26ea;hb=f78f3df7e01c266e83a98285fa3b5cd5823dab4d;hp=042aecbbeb8efd99374e4241fbc743096aa4c259;hpb=e6ee42febbdeaaab779a66c5002155c78a3eae8d;p=ffmpeg

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 042aecbbeb8..bcb34690629 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -384,6 +384,10 @@ static int decode_header(SnowContext *s){
         av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_count %d too large for size\n", s->spatial_decomposition_count);
         return AVERROR_INVALIDDATA;
     }
+    if (s->avctx->width > 65536-4) {
+        av_log(s->avctx, AV_LOG_ERROR, "Width %d is too large\n", s->avctx->width);
+        return AVERROR_INVALIDDATA;
+    }
 
 
     s->qlog           += get_symbol(&s->c, s->header_state, 1);
@@ -395,6 +399,11 @@ static int decode_header(SnowContext *s){
         s->block_max_depth= 0;
         return AVERROR_INVALIDDATA;
     }
+    if (FFABS(s->qbias) > 127) {
+        av_log(s->avctx, AV_LOG_ERROR, "qbias %d is too large\n", s->qbias);
+        s->qbias = 0;
+        return AVERROR_INVALIDDATA;
+    }
 
     return 0;
 }
@@ -507,14 +516,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             }
         }
 
-        {
         for(level=0; level<s->spatial_decomposition_count; level++){
             for(orientation=level ? 1 : 0; orientation<4; orientation++){
                 SubBand *b= &p->band[level][orientation];
                 unpack_coeffs(s, b, b->parent, orientation);
             }
         }
-        }
 
         {
         const int mb_h= s->b_height << s->block_max_depth;