X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Ftruemotion1.c;h=b6481cbd7c74f19d086b12f092cc864bef66e687;hb=6268034b5d03580f86e9ff5a1879ebd56f35db40;hp=e1824384c5eeeb4c6c4481eaa731ca995447e037;hpb=27e30c73d722ec13e59753dea91be00859c72bf2;p=ffmpeg

diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c
index e1824384c5e..b6481cbd7c7 100644
--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -444,6 +444,8 @@ static int truemotion1_decode_header(TrueMotion1Context *s)
     if (s->flags & FLAG_KEYFRAME) {
         /* no change bits specified for a keyframe; only index bytes */
         s->index_stream = s->mb_change_bits;
+        if (s->avctx->width * s->avctx->height / 2048 + header.header_size > s->size)
+            return AVERROR_INVALIDDATA;
     } else {
         /* one change bit per 4x4 block */
         s->index_stream = s->mb_change_bits +
@@ -882,7 +884,7 @@ static int truemotion1_decode_frame(AVCodecContext *avctx,
     if ((ret = truemotion1_decode_header(s)) < 0)
         return ret;
 
-    if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
+    if ((ret = ff_reget_buffer(avctx, s->frame, 0)) < 0)
         return ret;
 
     if (compression_types[s->compression].algorithm == ALGO_RGB24H) {