X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fsvq1dec.c;h=eb643446d1649c950d3328fca308bd636543e197;hb=bf10f09bccdcfdb41b9f5bbae01d55961bfd0693;hp=1e7ab494a8415f50d462274d6c436a718d169998;hpb=2f5bf2f7f20f29bad8c459824eaf33f2e0e483b5;p=ffmpeg

diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c
index 1e7ab494a84..eb643446d16 100644
--- a/libavcodec/svq1dec.c
+++ b/libavcodec/svq1dec.c
@@ -60,6 +60,10 @@ typedef struct SVQ1Context {
     HpelDSPContext hdsp;
     GetBitContext gb;
     AVFrame *prev;
+
+    uint8_t *pkt_swapped;
+    int pkt_swapped_allocated;
+
     int width;
     int height;
     int frame_code;
@@ -624,7 +628,24 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data,
 
     /* swap some header bytes (why?) */
     if (s->frame_code != 0x20) {
-        uint32_t *src = (uint32_t *)(buf + 4);
+        uint32_t *src;
+
+        if (buf_size < 9 * 4) {
+            av_log(avctx, AV_LOG_ERROR, "Input packet too small\n");
+            return AVERROR_INVALIDDATA;
+        }
+
+        av_fast_padded_malloc(&s->pkt_swapped, &s->pkt_swapped_allocated,
+                       buf_size);
+        if (!s->pkt_swapped)
+            return AVERROR(ENOMEM);
+
+        memcpy(s->pkt_swapped, buf, buf_size);
+        buf = s->pkt_swapped;
+        init_get_bits(&s->gb, buf, buf_size * 8);
+        skip_bits(&s->gb, 22);
+
+        src = (uint32_t *)(s->pkt_swapped + 4);
 
         if (buf_size < 36)
             return AVERROR_INVALIDDATA;
@@ -796,6 +817,8 @@ static av_cold int svq1_decode_end(AVCodecContext *avctx)
     SVQ1Context *s = avctx->priv_data;
 
     av_frame_free(&s->prev);
+    av_freep(&s->pkt_swapped);
+    s->pkt_swapped_allocated = 0;
 
     return 0;
 }