diff options
Diffstat (limited to 'libavcodec/xan.c')
-rw-r--r-- | libavcodec/xan.c | 36 |
1 files changed, 28 insertions, 8 deletions
diff --git a/libavcodec/xan.c b/libavcodec/xan.c index ca2e8e0e2c..2ee22910f1 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -2,20 +2,20 @@ * Wing Commander/Xan Video Decoder * Copyright (C) 2003 the ffmpeg project * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -90,6 +90,7 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) av_freep(&s->buffer1); return AVERROR(ENOMEM); } + avcodec_get_frame_defaults(&s->last_frame); return 0; } @@ -290,6 +291,7 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame) const unsigned char *size_segment; const unsigned char *vector_segment; const unsigned char *imagedata_segment; + const unsigned char *buf_end = s->buf + s->size; int huffman_offset, size_offset, vector_offset, imagedata_offset, imagedata_size; @@ -361,17 +363,29 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame) case 9: case 19: + if (buf_end - size_segment < 1) { + av_log(s->avctx, AV_LOG_ERROR, "size_segment overread\n"); + return AVERROR_INVALIDDATA; + } size = *size_segment++; break; case 10: case 20: + if (buf_end - size_segment < 2) { + av_log(s->avctx, AV_LOG_ERROR, "size_segment overread\n"); + return AVERROR_INVALIDDATA; + } size = AV_RB16(&size_segment[0]); size_segment += 2; break; case 11: case 21: + if (buf_end - size_segment < 3) { + av_log(s->avctx, AV_LOG_ERROR, "size_segment overread\n"); + return AVERROR_INVALIDDATA; + } size = AV_RB24(size_segment); size_segment += 3; break; @@ -394,6 +408,10 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame) imagedata_size -= size; } } else { + if (vector_segment >= buf_end) { + av_log(s->avctx, AV_LOG_ERROR, "vector_segment overread\n"); + return AVERROR_INVALIDDATA; + } /* run-based motion compensation from last frame */ motion_x = sign_extend(*vector_segment >> 4, 4); motion_y = sign_extend(*vector_segment & 0xF, 4); @@ -515,6 +533,10 @@ static int xan_decode_frame(AVCodecContext *avctx, int i; tag = bytestream2_get_le32(&ctx); size = bytestream2_get_be32(&ctx); + if(size < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid tag size %d\n", size); + return AVERROR_INVALIDDATA; + } size = FFMIN(size, bytestream2_get_bytes_left(&ctx)); switch (tag) { case PALT_TAG: @@ -538,7 +560,7 @@ static int xan_decode_frame(AVCodecContext *avctx, int g = gamma_lookup[bytestream2_get_byteu(&ctx)]; int b = gamma_lookup[bytestream2_get_byteu(&ctx)]; #endif - *tmpptr++ = (r << 16) | (g << 8) | b; + *tmpptr++ = (0xFFU << 24) | (r << 16) | (g << 8) | b; } s->palettes_count++; break; @@ -565,10 +587,8 @@ static int xan_decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } - if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF))) { - av_log(s->avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) return ret; - } if (!s->frame_size) s->frame_size = frame->linesize[0] * s->avctx->height; |