diff options
Diffstat (limited to 'libavcodec/flashsv.c')
| -rw-r--r-- | libavcodec/flashsv.c | 37 |
1 files changed, 24 insertions, 13 deletions
diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index e9749fec33..3d185d5184 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -3,20 +3,20 @@ * Copyright (C) 2004 Alex Beregszaszi * Copyright (C) 2006 Benjamin Larsson * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -126,6 +126,9 @@ static int flashsv2_prime(FlashSVContext *s, uint8_t *src, int size) z_stream zs; int zret; // Zlib return code + if (!src) + return AVERROR_INVALIDDATA; + zs.zalloc = NULL; zs.zfree = NULL; zs.opaque = NULL; @@ -136,7 +139,8 @@ static int flashsv2_prime(FlashSVContext *s, uint8_t *src, int size) s->zstream.avail_out = s->block_size * 3; inflate(&s->zstream, Z_SYNC_FLUSH); - deflateInit(&zs, 0); + if (deflateInit(&zs, 0) != Z_OK) + return -1; zs.next_in = s->tmpblock; zs.avail_in = s->block_size * 3 - s->zstream.avail_out; zs.next_out = s->deflate_block; @@ -241,6 +245,8 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, FlashSVContext *s = avctx->priv_data; int h_blocks, v_blocks, h_part, v_part, i, j, ret; GetBitContext gb; + int last_blockwidth = s->block_width; + int last_blockheight= s->block_height; /* no supplementary picture */ if (buf_size == 0) @@ -256,6 +262,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, s->block_height = 16 * (get_bits(&gb, 4) + 1); s->image_height = get_bits(&gb, 12); + if ( last_blockwidth != s->block_width + || last_blockheight!= s->block_height) + av_freep(&s->blocks); + if (s->ver == 2) { skip_bits(&gb, 6); if (get_bits1(&gb)) { @@ -301,8 +311,7 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, /* initialize the image size once */ if (avctx->width == 0 && avctx->height == 0) { - avctx->width = s->image_width; - avctx->height = s->image_height; + avcodec_set_dimensions(avctx, s->image_width, s->image_height); } /* check for changes of image width and image height */ @@ -319,19 +328,17 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, if (s->is_keyframe) { s->keyframedata = av_realloc(s->keyframedata, avpkt->size); memcpy(s->keyframedata, avpkt->data, avpkt->size); - s->blocks = av_realloc(s->blocks, - (v_blocks + !!v_part) * (h_blocks + !!h_part) - * sizeof(s->blocks[0])); } + if(s->ver == 2 && !s->blocks) + s->blocks = av_mallocz((v_blocks + !!v_part) * (h_blocks + !!h_part) + * sizeof(s->blocks[0])); av_dlog(avctx, "image: %dx%d block: %dx%d num: %dx%d part: %dx%d\n", s->image_width, s->image_height, s->block_width, s->block_height, h_blocks, v_blocks, h_part, v_part); - if ((ret = ff_reget_buffer(avctx, &s->frame)) < 0) { - av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); + if ((ret = ff_reget_buffer(avctx, &s->frame)) < 0) return ret; - } /* loop over all block columns */ for (j = 0; j < v_blocks + (v_part ? 1 : 0); j++) { @@ -380,6 +387,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, } s->diff_start = get_bits(&gb, 8); s->diff_height = get_bits(&gb, 8); + if (s->diff_start + s->diff_height > cur_blk_height) { + av_log(avctx, AV_LOG_ERROR, "Block parameters invalid\n"); + return AVERROR_INVALIDDATA; + } av_log(avctx, AV_LOG_DEBUG, "%dx%d diff start %d height %d\n", i, j, s->diff_start, s->diff_height); |