X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fwmv2dec.c;h=afa65478e3450dbecf3289e8c6fb3d3d2b8b29c2;hb=ec749ed2225e0c33f0910fc318c73da6f4ceb587;hp=92daa1639e5e9b7a2572b891d5d1c964f4213af2;hpb=fbd607dd560afe44c3b90de1e6cbe5265cac8f1e;p=ffmpeg

diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c
index 92daa1639e5..afa65478e34 100644
--- a/libavcodec/wmv2dec.c
+++ b/libavcodec/wmv2dec.c
@@ -33,6 +33,7 @@
 static int parse_mb_skip(Wmv2Context *w)
 {
     int mb_x, mb_y;
+    int coded_mb_count = 0;
     MpegEncContext *const s = &w->s;
     uint32_t *const mb_type = s->current_picture_ptr->mb_type;
 
@@ -83,6 +84,14 @@ static int parse_mb_skip(Wmv2Context *w)
         }
         break;
     }
+
+    for (mb_y = 0; mb_y < s->mb_height; mb_y++)
+        for (mb_x = 0; mb_x < s->mb_width; mb_x++)
+            coded_mb_count += !IS_SKIP(mb_type[mb_y * s->mb_stride + mb_x]);
+
+    if (coded_mb_count > get_bits_left(&s->gb))
+        return AVERROR_INVALIDDATA;
+
     return 0;
 }
 
@@ -230,6 +239,9 @@ int ff_wmv2_decode_secondary_picture_header(MpegEncContext *s)
             s->rl_chroma_table_index = s->rl_table_index;
         }
 
+        if (get_bits_left(&s->gb) < 2)
+            return AVERROR_INVALIDDATA;
+
         s->dc_table_index   = get_bits1(&s->gb);
         s->mv_table_index   = get_bits1(&s->gb);