X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fvcr1.c;h=76c47eb2a4e7ac3b498bb53d0e819ae5a0fdd047;hb=4628443ca3534060888dd0015b229337eac13fd2;hp=c4b817ead8c22a5d6f6e42e3b95a0f3313c28f56;hpb=759001c534287a96dc96d1e274665feb7059145d;p=ffmpeg

diff --git a/libavcodec/vcr1.c b/libavcodec/vcr1.c
index c4b817ead8c..76c47eb2a4e 100644
--- a/libavcodec/vcr1.c
+++ b/libavcodec/vcr1.c
@@ -37,6 +37,11 @@ static av_cold int vcr1_decode_init(AVCodecContext *avctx)
 {
     avctx->pix_fmt = AV_PIX_FMT_YUV410P;
 
+    if (avctx->width & 7) {
+        av_log(avctx, AV_LOG_ERROR, "Width %d is not divisble by 8.\n", avctx->width);
+        return AVERROR_INVALIDDATA;
+    }
+
     return 0;
 }
 
@@ -57,9 +62,13 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
     p->pict_type = AV_PICTURE_TYPE_I;
     p->key_frame = 1;
 
+    if (buf_size < 32)
+        goto packet_small;
+
     for (i = 0; i < 16; i++) {
         a->delta[i] = *bytestream++;
         bytestream++;
+        buf_size--;
     }
 
     for (y = 0; y < avctx->height; y++) {
@@ -70,8 +79,12 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
             uint8_t *cb = &p->data[1][(y >> 2) * p->linesize[1]];
             uint8_t *cr = &p->data[2][(y >> 2) * p->linesize[2]];
 
+            if (buf_size < 4 + avctx->width)
+                goto packet_small;
+
             for (i = 0; i < 4; i++)
                 a->offset[i] = *bytestream++;
+            buf_size -= 4;
 
             offset = a->offset[0] - a->delta[bytestream[2] & 0xF];
             for (x = 0; x < avctx->width; x += 4) {
@@ -85,8 +98,12 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
                 *cr++       = bytestream[1];
 
                 bytestream += 4;
+                buf_size   -= 4;
             }
         } else {
+            if (buf_size < avctx->width / 2)
+                goto packet_small;
+
             offset = a->offset[y & 3] - a->delta[bytestream[2] & 0xF];
 
             for (x = 0; x < avctx->width; x += 8) {
@@ -100,6 +117,7 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
                 luma[7]     = offset += a->delta[bytestream[1] >>  4];
                 luma       += 8;
                 bytestream += 4;
+                buf_size   -= 4;
             }
         }
     }
@@ -107,15 +125,18 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
     *got_frame = 1;
 
     return buf_size;
+packet_small:
+    av_log(avctx, AV_LOG_ERROR, "Input packet too small.\n");
+    return AVERROR_INVALIDDATA;
 }
 
 AVCodec ff_vcr1_decoder = {
     .name           = "vcr1",
+    .long_name      = NULL_IF_CONFIG_SMALL("ATI VCR1"),
     .type           = AVMEDIA_TYPE_VIDEO,
     .id             = AV_CODEC_ID_VCR1,
     .priv_data_size = sizeof(VCR1Context),
     .init           = vcr1_decode_init,
     .decode         = vcr1_decode_frame,
-    .capabilities   = CODEC_CAP_DR1,
-    .long_name      = NULL_IF_CONFIG_SMALL("ATI VCR1"),
+    .capabilities   = AV_CODEC_CAP_DR1,
 };