X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavformat%2Ficodec.c;h=17acfb4b2fb483da742a8af357c2fb8d9123856b;hb=14478b6c3820339442d8c96b701d021499de0827;hp=6ddb901b7ee7f152f210014713b9af8caba5333c;hpb=0e3e3656d31a7e1e595ccb5ca3acfc76a23d785e;p=ffmpeg

diff --git a/libavformat/icodec.c b/libavformat/icodec.c
index 6ddb901b7ee..17acfb4b2fb 100644
--- a/libavformat/icodec.c
+++ b/libavformat/icodec.c
@@ -45,11 +45,14 @@ typedef struct {
 
 static int probe(AVProbeData *p)
 {
-    unsigned i, frames = AV_RL16(p->buf + 4);
+    unsigned i, frames, checked = 0;
 
-    if (AV_RL16(p->buf) || AV_RL16(p->buf + 2) != 1 || !frames)
+    if (p->buf_size < 22 || AV_RL16(p->buf) || AV_RL16(p->buf + 2) != 1)
         return 0;
-    for (i = 0; i < frames; i++) {
+    frames = AV_RL16(p->buf + 4);
+    if (!frames)
+        return 0;
+    for (i = 0; i < frames && i * 16 + 22 <= p->buf_size; i++) {
         unsigned offset;
         if (AV_RL16(p->buf + 10 + i * 16) & ~1)
             return FFMIN(i, AVPROBE_SCORE_MAX / 4);
@@ -60,14 +63,15 @@ static int probe(AVProbeData *p)
         offset = AV_RL32(p->buf + 18 + i * 16);
         if (offset < 22)
             return FFMIN(i, AVPROBE_SCORE_MAX / 4);
-        if (offset + 8 > p->buf_size)
-            return AVPROBE_SCORE_MAX / 4 + FFMIN(i, 1);
+        if (offset > p->buf_size - 8)
+            continue;
         if (p->buf[offset] != 40 && AV_RB64(p->buf + offset) != PNGSIG)
             return FFMIN(i, AVPROBE_SCORE_MAX / 4);
-        if (i * 16 + 6 > p->buf_size)
-            return AVPROBE_SCORE_MAX / 4 + FFMIN(i, 1);
+        checked++;
     }
 
+    if (checked < frames)
+        return AVPROBE_SCORE_MAX / 4 + FFMIN(checked, 1);
     return AVPROBE_SCORE_MAX / 2 + 1;
 }