diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index e4b940cc60..115973132f 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -157,8 +157,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height bitbuf = bytestream2_get_le16u(gb); mask = 1; } - if (frame_end - frame < width + 2) - return AVERROR_INVALIDDATA; + if (bitbuf & mask) { v = bytestream2_get_le16(gb); offset = (v & 0x1FFF) << 2; @@ -172,9 +171,12 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height frame += 2; } } else if (bitbuf & (mask << 1)) { - frame += bytestream2_get_le16(gb) * 2; + v = bytestream2_get_le16(gb)*2; + if (frame - frame_end < v) + return AVERROR_INVALIDDATA; + frame += v; } else { - if (frame_end - frame < width + 2) + if (frame_end - frame < width + 3) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index dd9ab684fe..d19c6044ab 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -427,8 +427,11 @@ static int decode_cell_data(Cell *cell, uint8_t *block, uint8_t *ref_block, blk_row_offset = (row_offset << (2 + v_zoom)) - (cell->width << 2); line_offset = v_zoom ? row_offset : 0; - for (y = 0; y + v_zoom < cell->height; is_first_row = 0, y += 1 + v_zoom) { - for (x = 0; x + h_zoom < cell->width; x += 1 + h_zoom) { + if (cell->height & v_zoom || cell->width & h_zoom) + return IV3_BAD_DATA; + + for (y = 0; y < cell->height; is_first_row = 0, y += 1 + v_zoom) { + for (x = 0; x < cell->width; x += 1 + h_zoom) { ref = ref_block; dst = block; diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 0a93d1e4c0..fd43e33e9d 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -452,8 +452,8 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, ((band->qdelta_present && band->inherit_qdelta) || band->inherit_mv)) return AVERROR_INVALIDDATA; - if( tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size) ){ - av_log(avctx, AV_LOG_ERROR, "allocated tile size %d mismatches parameters %d\n", + if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) { + av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches parameters %d\n", tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index f0c81be6cb..9ecf9cdf2c 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -495,8 +495,17 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) return 0; } -void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, - IVITile *tile, int32_t mv_scale) +/** + * Handle empty tiles by performing data copying and motion + * compensation respectively. + * + * @param[in] avctx ptr to the AVCodecContext + * @param[in] band pointer to the band descriptor + * @param[in] tile pointer to the tile descriptor + * @param[in] mv_scale scaling factor for motion vectors + */ +static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, + IVITile *tile, int32_t mv_scale) { int x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type; int offs, mb_offset, row_offset; @@ -506,10 +515,11 @@ void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, void (*mc_no_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type); - if( tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size) ){ - av_log(avctx, AV_LOG_ERROR, "allocated tile size %d mismatches parameters %d in ff_ivi_process_empty_tile()\n", + if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) { + av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches " + "parameters %d in ivi_process_empty_tile()\n", tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)); - return; + return AVERROR_INVALIDDATA; } offs = tile->ypos * band->pitch + tile->xpos; @@ -592,6 +602,8 @@ void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, dst += band->pitch; } } + + return 0; } @@ -689,8 +701,10 @@ static int decode_band(IVI45DecContext *ctx, int plane_num, } tile->is_empty = get_bits1(&ctx->gb); if (tile->is_empty) { - ff_ivi_process_empty_tile(avctx, band, tile, + result = ivi_process_empty_tile(avctx, band, tile, (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3)); + if (result < 0) + break; av_dlog(avctx, "Empty tile encountered!\n"); } else { tile->data_size = ff_ivi_dec_tile_data_size(&ctx->gb); diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h index fae7f4bea5..4636f6ce52 100644 --- a/libavcodec/ivi_common.h +++ b/libavcodec/ivi_common.h @@ -377,18 +377,6 @@ int ff_ivi_dec_tile_data_size(GetBitContext *gb); */ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile); -/** - * Handle empty tiles by performing data copying and motion - * compensation respectively. - * - * @param[in] avctx ptr to the AVCodecContext - * @param[in] band pointer to the band descriptor - * @param[in] tile pointer to the tile descriptor - * @param[in] mv_scale scaling factor for motion vectors - */ -void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, - IVITile *tile, int32_t mv_scale); - /** * Convert and output the current plane. * This conversion is done by adding back the bias value of 128 diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index cdd4eb851b..7d6bd8e756 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -406,7 +406,8 @@ static void decode_ac_filter(WmallDecodeCtx *s) s->acfilter_scaling = get_bits(&s->gb, 4); for (i = 0; i < s->acfilter_order; i++) - s->acfilter_coeffs[i] = (s->acfilter_scaling ? get_bits(&s->gb, s->acfilter_scaling) : 0) + 1; + s->acfilter_coeffs[i] = (s->acfilter_scaling ? + get_bits(&s->gb, s->acfilter_scaling) : 0) + 1; } static void decode_mclms(WmallDecodeCtx *s)