1 files changed, 41 insertions, 30 deletions

diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c
index 5b14877061..04d18ba535 100644
--- a/libavcodec/vmnc.c
+++ b/libavcodec/vmnc.c
@@ -2,20 +2,20 @@
  * VMware Screen Codec (VMnc) decoder
  * Copyright (c) 2006 Konstantin Shishkov
  *
- * This file is part of Libav.
+ * This file is part of FFmpeg.
  *
- * Libav is free software; you can redistribute it and/or
+ * FFmpeg is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
  * License as published by the Free Software Foundation; either
  * version 2.1 of the License, or (at your option) any later version.
  *
- * Libav is distributed in the hope that it will be useful,
+ * FFmpeg is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  * Lesser General Public License for more details.
  *
  * You should have received a copy of the GNU Lesser General Public
- * License along with Libav; if not, write to the Free Software
+ * License along with FFmpeg; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
@@ -57,7 +57,7 @@ enum HexTile_Flags {
  */
 typedef struct VmncContext {
     AVCodecContext *avctx;
-    AVFrame pic;
+    AVFrame *frame;
 
     int bpp;
     int bpp2;
@@ -310,16 +310,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     GetByteContext *gb = &c->gb;
     uint8_t *outptr;
     int dx, dy, w, h, depth, enc, chunks, res, size_left, ret;
+    AVFrame *frame = c->frame;
 
-    if ((ret = ff_reget_buffer(avctx, &c->pic)) < 0) {
-        av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
+    if ((ret = ff_reget_buffer(avctx, frame)) < 0)
         return ret;
-    }
 
     bytestream2_init(gb, buf, buf_size);
 
-    c->pic.key_frame = 0;
-    c->pic.pict_type = AV_PICTURE_TYPE_P;
+    frame->key_frame = 0;
+    frame->pict_type = AV_PICTURE_TYPE_P;
 
     // restore screen after cursor
     if (c->screendta) {
@@ -341,26 +340,34 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             dy = 0;
         }
         if ((w > 0) && (h > 0)) {
-            outptr = c->pic.data[0] + dx * c->bpp2 + dy * c->pic.linesize[0];
+            outptr = frame->data[0] + dx * c->bpp2 + dy * frame->linesize[0];
             for (i = 0; i < h; i++) {
                 memcpy(outptr, c->screendta + i * c->cur_w * c->bpp2,
                        w * c->bpp2);
-                outptr += c->pic.linesize[0];
+                outptr += frame->linesize[0];
             }
         }
     }
     bytestream2_skip(gb, 2);
     chunks = bytestream2_get_be16(gb);
     while (chunks--) {
+        if (bytestream2_get_bytes_left(gb) < 12) {
+            av_log(avctx, AV_LOG_ERROR, "Premature end of data!\n");
+            return -1;
+        }
         dx  = bytestream2_get_be16(gb);
         dy  = bytestream2_get_be16(gb);
         w   = bytestream2_get_be16(gb);
         h   = bytestream2_get_be16(gb);
         enc = bytestream2_get_be32(gb);
-        outptr = c->pic.data[0] + dx * c->bpp2 + dy * c->pic.linesize[0];
+        outptr = frame->data[0] + dx * c->bpp2 + dy * frame->linesize[0];
         size_left = bytestream2_get_bytes_left(gb);
         switch (enc) {
         case MAGIC_WMVd: // cursor
+            if (w*(int64_t)h*c->bpp2 > INT_MAX/2 - 2) {
+                av_log(avctx, AV_LOG_ERROR, "dimensions too large\n");
+                return AVERROR_INVALIDDATA;
+            }
             if (size_left < 2 + w * h * c->bpp2 * 2) {
                 av_log(avctx, AV_LOG_ERROR,
                        "Premature end of data! (need %i got %i)\n",
@@ -379,9 +386,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                        c->cur_hx, c->cur_hy, c->cur_w, c->cur_h);
                 c->cur_hx = c->cur_hy = 0;
             }
-            c->curbits   = av_realloc(c->curbits,   c->cur_w * c->cur_h * c->bpp2);
-            c->curmask   = av_realloc(c->curmask,   c->cur_w * c->cur_h * c->bpp2);
-            c->screendta = av_realloc(c->screendta, c->cur_w * c->cur_h * c->bpp2);
+            c->curbits   = av_realloc_f(c->curbits,   c->cur_w * c->cur_h, c->bpp2);
+            c->curmask   = av_realloc_f(c->curmask,   c->cur_w * c->cur_h, c->bpp2);
+            c->screendta = av_realloc_f(c->screendta, c->cur_w * c->cur_h, c->bpp2);
+            if (!c->curbits || !c->curmask || !c->screendta)
+                return AVERROR(ENOMEM);
             load_cursor(c);
             break;
         case MAGIC_WMVe: // unknown
@@ -398,8 +407,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             bytestream2_skip(gb, 4);
             break;
         case MAGIC_WMVi: // ServerInitialization struct
-            c->pic.key_frame = 1;
-            c->pic.pict_type = AV_PICTURE_TYPE_I;
+            frame->key_frame = 1;
+            frame->pict_type = AV_PICTURE_TYPE_I;
             depth = bytestream2_get_byte(gb);
             if (depth != c->bpp) {
                 av_log(avctx, AV_LOG_INFO,
@@ -434,7 +443,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                 return -1;
             }
             paint_raw(outptr, w, h, gb, c->bpp2, c->bigendian,
-                      c->pic.linesize[0]);
+                      frame->linesize[0]);
             break;
         case 0x00000005: // HexTile encoded rectangle
             if ((dx + w > c->width) || (dy + h > c->height)) {
@@ -443,7 +452,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                        w, h, dx, dy, c->width, c->height);
                 return -1;
             }
-            res = decode_hextile(c, outptr, gb, w, h, c->pic.linesize[0]);
+            res = decode_hextile(c, outptr, gb, w, h, frame->linesize[0]);
             if (res < 0)
                 return -1;
             break;
@@ -472,18 +481,18 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             dy = 0;
         }
         if ((w > 0) && (h > 0)) {
-            outptr = c->pic.data[0] + dx * c->bpp2 + dy * c->pic.linesize[0];
+            outptr = frame->data[0] + dx * c->bpp2 + dy * frame->linesize[0];
             for (i = 0; i < h; i++) {
                 memcpy(c->screendta + i * c->cur_w * c->bpp2, outptr,
                        w * c->bpp2);
-                outptr += c->pic.linesize[0];
+                outptr += frame->linesize[0];
             }
-            outptr = c->pic.data[0];
-            put_cursor(outptr, c->pic.linesize[0], c, c->cur_x, c->cur_y);
+            outptr = frame->data[0];
+            put_cursor(outptr, frame->linesize[0], c, c->cur_x, c->cur_y);
         }
     }
     *got_frame = 1;
-    if ((ret = av_frame_ref(data, &c->pic)) < 0)
+    if ((ret = av_frame_ref(data, frame)) < 0)
         return ret;
 
     /* always report that the buffer was completely consumed */
@@ -515,7 +524,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
         return AVERROR_INVALIDDATA;
     }
 
-    avcodec_get_frame_defaults(&c->pic);
+    c->frame = av_frame_alloc();
+    if (!c->frame)
+        return AVERROR(ENOMEM);
 
     return 0;
 }
@@ -524,11 +535,11 @@ static av_cold int decode_end(AVCodecContext *avctx)
 {
     VmncContext * const c = avctx->priv_data;
 
-    av_frame_unref(&c->pic);
+    av_frame_free(&c->frame);
 
-    av_free(c->curbits);
-    av_free(c->curmask);
-    av_free(c->screendta);
+    av_freep(&c->curbits);
+    av_freep(&c->curmask);
+    av_freep(&c->screendta);
     return 0;
 }