diff options
Diffstat (limited to 'libavcodec/bmv.c')
-rw-r--r-- | libavcodec/bmv.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/libavcodec/bmv.c b/libavcodec/bmv.c index 4d496430cc..d06ebae7e0 100644 --- a/libavcodec/bmv.c +++ b/libavcodec/bmv.c @@ -21,6 +21,7 @@ #include "avcodec.h" #include "bytestream.h" +#include "libavutil/avassert.h" enum BMVFlags{ BMV_NOP = 0, @@ -98,6 +99,8 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, } if (!(val & 0xC)) { for (;;) { + if(shift>22) + return -1; if (!read_two_nibbles) { if (src < source || src >= source_end) return -1; @@ -131,6 +134,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, } advance_mode = val & 1; len = (val >> 1) - 1; + av_assert0(len>0); mode += 1 + advance_mode; if (mode >= 4) mode -= 3; @@ -223,7 +227,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac return AVERROR_INVALIDDATA; } for (i = 0; i < 256; i++) - c->pal[i] = bytestream_get_be24(&c->stream); + c->pal[i] = 0xFF << 24 | bytestream_get_be24(&c->stream); } if (type & BMV_SCROLL) { if (c->stream - pkt->data > pkt->size - 2) { |