X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavformat%2Fmvdec.c;h=c4fa980bf2196c996531bee7110fc8c2843c2a2c;hb=cae57cae1f70371591223a5f9fe3f370ce8dfd50;hp=fa596179ed97ab8fd25d07bacaee0ad4a98153b4;hpb=4069096dd535ee99175c2a29c1a1f59c3fc110c1;p=ffmpeg

diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
index fa596179ed9..c4fa980bf21 100644
--- a/libavformat/mvdec.c
+++ b/libavformat/mvdec.c
@@ -46,7 +46,7 @@ typedef struct MvContext {
 
 #define AUDIO_FORMAT_SIGNED 401
 
-static int mv_probe(AVProbeData *p)
+static int mv_probe(const AVProbeData *p)
 {
     if (AV_RB32(p->buf) == MKBETAG('M', 'O', 'V', 'I') &&
         AV_RB16(p->buf + 4) < 3)
@@ -159,7 +159,10 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st,
         st->codecpar->sample_rate = var_read_int(pb, size);
         avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate);
     } else if (!strcmp(name, "SAMPLE_WIDTH")) {
-        st->codecpar->bits_per_coded_sample = var_read_int(pb, size) * 8;
+        uint64_t bpc = var_read_int(pb, size) * (uint64_t)8;
+        if (bpc > 16)
+            return AVERROR_INVALIDDATA;
+        st->codecpar->bits_per_coded_sample = bpc;
     } else
         return AVERROR_INVALIDDATA;
 
@@ -211,6 +214,8 @@ static int parse_video_var(AVFormatContext *avctx, AVStream *st,
     } else if (!strcmp(name, "ORIENTATION")) {
         if (var_read_int(pb, size) == 1101) {
             st->codecpar->extradata      = av_strdup("BottomUp");
+            if (!st->codecpar->extradata)
+                return AVERROR(ENOMEM);
             st->codecpar->extradata_size = 9;
         }
     } else if (!strcmp(name, "Q_SPATIAL") || !strcmp(name, "Q_TEMPORAL")) {
@@ -266,7 +271,7 @@ static void read_index(AVIOContext *pb, AVStream *st)
         avio_skip(pb, 8);
         av_add_index_entry(st, pos, timestamp, size, 0, AVINDEX_KEYFRAME);
         if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) {
-            timestamp += size / (st->codecpar->channels * 2);
+            timestamp += size / (st->codecpar->channels * 2LL);
         } else {
             timestamp++;
         }
@@ -353,7 +358,7 @@ static int mv_read_header(AVFormatContext *avctx)
             avio_skip(pb, 8);
             av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME);
             av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME);
-            timestamp += asize / (ast->codecpar->channels * 2);
+            timestamp += asize / (ast->codecpar->channels * 2LL);
         }
     } else if (!version && avio_rb16(pb) == 3) {
         avio_skip(pb, 4);
@@ -361,6 +366,12 @@ static int mv_read_header(AVFormatContext *avctx)
         if ((ret = read_table(avctx, NULL, parse_global_var)) < 0)
             return ret;
 
+        if (mv->nb_audio_tracks < 0  || mv->nb_video_tracks < 0 ||
+           (mv->nb_audio_tracks == 0 && mv->nb_video_tracks == 0)) {
+            av_log(avctx, AV_LOG_ERROR, "Stream count is invalid.\n");
+            return AVERROR_INVALIDDATA;
+        }
+
         if (mv->nb_audio_tracks > 1) {
             avpriv_request_sample(avctx, "Multiple audio streams support");
             return AVERROR_PATCHWELCOME;
@@ -423,8 +434,8 @@ static int mv_read_packet(AVFormatContext *avctx, AVPacket *pkt)
     int64_t ret;
     uint64_t pos;
 
-    if (frame < st->nb_index_entries) {
-        index = &st->index_entries[frame];
+    if (frame < st->internal->nb_index_entries) {
+        index = &st->internal->index_entries[frame];
         pos   = avio_tell(pb);
         if (index->pos > pos)
             avio_skip(pb, index->pos - pos);