X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Ftruemotion2.c;h=58a577f53c75af1b0af226829d367d223611ad52;hb=462d1be6dec5ff4768be8c202f359cbf037db3c6;hp=97c38f7f088d275697c13ab308be15e15a97fec7;hpb=d0f098a5e0bae84d98eb48ea5ba173422e004fe3;p=ffmpeg diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 97c38f7f088..58a577f53c7 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -63,6 +63,7 @@ typedef struct TM2Context { AVFrame *pic; GetBitContext gb; + int error; BswapDSPContext bdsp; uint8_t *buffer; @@ -376,6 +377,10 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i } } } else { + if (len < 0) { + ret = AVERROR_INVALIDDATA; + goto end; + } for (i = 0; i < toks; i++) { ctx->tokens[stream_id][i] = codes.recode[0]; if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS) { @@ -398,6 +403,7 @@ static inline int GET_TOK(TM2Context *ctx,int type) { if (ctx->tok_ptrs[type] >= ctx->tok_lens[type]) { av_log(ctx->avctx, AV_LOG_ERROR, "Read token from stream %i out of bounds (%i>=%i)\n", type, ctx->tok_ptrs[type], ctx->tok_lens[type]); + ctx->error = 1; return 0; } if (type <= TM2_MOT) { @@ -449,7 +455,7 @@ static inline int GET_TOK(TM2Context *ctx,int type) /* common operations - add deltas to 4x4 block of luma or 2x2 blocks of chroma */ static inline void tm2_apply_deltas(TM2Context *ctx, int* Y, int stride, int *deltas, int *last) { - int ct, d; + unsigned ct, d; int i, j; for (j = 0; j < 4; j++){ @@ -809,6 +815,8 @@ static int tm2_decode_blocks(TM2Context *ctx, AVFrame *p) default: av_log(ctx->avctx, AV_LOG_ERROR, "Skipping unknown block type %i\n", type); } + if (ctx->error) + return AVERROR_INVALIDDATA; } } @@ -889,6 +897,8 @@ static int decode_frame(AVCodecContext *avctx, int offset = TM2_HEADER_SIZE; int i, t, ret; + l->error = 0; + av_fast_padded_malloc(&l->buffer, &l->buffer_size, buf_size); if (!l->buffer) { av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n");