X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fvqavideo.c;h=ae99c6d9c1178ab47f78f1aef85f3062eb8a2d23;hb=a129622390fca8a298c3b121f42b2d15910b9b22;hp=5db8a22b09c6b7a3060b39e8f172dfce1eff0e53;hpb=1d38c746fdcc9f604644a18fa776a63de1a9c27e;p=ffmpeg

diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index 5db8a22b09c..ae99c6d9c11 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -322,10 +322,17 @@ static void vqa_decode_chunk(VqaContext *s)
     int hibytes = s->decode_buffer_size / 2;
 
     /* first, traverse through the frame and find the subchunks */
-    while (index < s->size) {
+    while (index + CHUNK_PREAMBLE_SIZE <= s->size) {
+        unsigned next_index;
 
         chunk_type = AV_RB32(&s->buf[index]);
         chunk_size = AV_RB32(&s->buf[index + 4]);
+        byte_skip = chunk_size & 0x01;
+        next_index = index + CHUNK_PREAMBLE_SIZE + chunk_size + byte_skip;
+        if (next_index > s->size) {
+            av_log(s->avctx, AV_LOG_ERROR, "Dropping incomplete chunk\n");
+            break;
+        }
 
         switch (chunk_type) {
 
@@ -366,9 +373,7 @@ static void vqa_decode_chunk(VqaContext *s)
             chunk_type);
             break;
         }
-
-        byte_skip = chunk_size & 0x01;
-        index += (CHUNK_PREAMBLE_SIZE + chunk_size + byte_skip);
+        index = next_index;
     }
 
     /* next, deal with the palette */
@@ -403,6 +408,7 @@ static void vqa_decode_chunk(VqaContext *s)
             g = s->buf[cpl0_chunk++] * 4;
             b = s->buf[cpl0_chunk++] * 4;
             s->palette[i] = 0xFF << 24 | r << 16 | g << 8 | b;
+            s->palette[i] |= s->palette[i] >> 6 & 0x30303;
         }
     }