diff options
Diffstat (limited to 'libavcodec/bmv.c')
-rw-r--r-- | libavcodec/bmv.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/libavcodec/bmv.c b/libavcodec/bmv.c index 461111967d..c9066dfa5c 100644 --- a/libavcodec/bmv.c +++ b/libavcodec/bmv.c @@ -21,6 +21,7 @@ #include "avcodec.h" #include "bytestream.h" +#include "libavutil/avassert.h" enum BMVFlags{ BMV_NOP = 0, @@ -98,6 +99,8 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, } if (!(val & 0xC)) { for (;;) { + if(shift>22) + return -1; if (!read_two_nibbles) { if (src < source || src >= source_end) return -1; @@ -131,6 +134,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, } advance_mode = val & 1; len = (val >> 1) - 1; + av_assert0(len>0); mode += 1 + advance_mode; if (mode >= 4) mode -= 3; @@ -183,8 +187,6 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, memset(dst, val, len); } break; - default: - break; } if (dst == dst_end) return 0; @@ -223,7 +225,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac return AVERROR_INVALIDDATA; } for (i = 0; i < 256; i++) - c->pal[i] = bytestream_get_be24(&c->stream); + c->pal[i] = 0xFFU << 24 | bytestream_get_be24(&c->stream); } if (type & BMV_SCROLL) { if (c->stream - pkt->data > pkt->size - 2) { @@ -277,6 +279,11 @@ static av_cold int decode_init(AVCodecContext *avctx) c->avctx = avctx; avctx->pix_fmt = AV_PIX_FMT_PAL8; + if (avctx->width != SCREEN_WIDE || avctx->height != SCREEN_HIGH) { + av_log(avctx, AV_LOG_ERROR, "Invalid dimension %dx%d\n", avctx->width, avctx->height); + return AVERROR_INVALIDDATA; + } + c->frame = c->frame_base + 640; return 0; |