Mercurial > libavcodec.hg

comparison flashsv.c @ 11363:a4596f842e18 libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fixed buffer overread in flashsv decoder.
author fenrir
date Thu, 04 Mar 2010 19:10:44 +0000
parents 39a7bdbf0d40
children 8a4984c5cacc
comparison
equal deleted inserted replaced
11362:1682a19a0881 11363:a4596f842e18
111 GetBitContext gb; 111 GetBitContext gb;
112 112
113 /* no supplementary picture */ 113 /* no supplementary picture */
114 if (buf_size == 0) 114 if (buf_size == 0)
115 return 0; 115 return 0;
116 if (buf_size < 4)
117 return -1;
116 118
117 init_get_bits(&gb, buf, buf_size * 8); 119 init_get_bits(&gb, buf, buf_size * 8);
118 120
119 /* start to parse the bitstream */ 121 /* start to parse the bitstream */
120 s->block_width = 16* (get_bits(&gb, 4)+1); 122 s->block_width = 16* (get_bits(&gb, 4)+1);
179 int wp = i*s->block_width; // vert position in frame 181 int wp = i*s->block_width; // vert position in frame
180 int ws = (i<h_blocks)?s->block_width:h_part; // size of block 182 int ws = (i<h_blocks)?s->block_width:h_part; // size of block
181 183
182 /* get the size of the compressed zlib chunk */ 184 /* get the size of the compressed zlib chunk */
183 int size = get_bits(&gb, 16); 185 int size = get_bits(&gb, 16);
186 if (8 * size > get_bits_left(&gb)) {
187 avctx->release_buffer(avctx, &s->frame);
188 s->frame.data[0] = NULL;
189 return -1;
190 }
184 191
185 if (size == 0) { 192 if (size == 0) {
186 /* no change, don't do anything */ 193 /* no change, don't do anything */
187 } else { 194 } else {
188 /* decompress block */ 195 /* decompress block */