diff options
Diffstat (limited to 'libavcodec/vmnc.c')
-rw-r--r-- | libavcodec/vmnc.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index d060d5b81f..99571a1b76 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -2,20 +2,20 @@ * VMware Screen Codec (VMnc) decoder * Copyright (c) 2006 Konstantin Shishkov * - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -296,10 +296,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, const uint8_t *src = buf; int dx, dy, w, h, depth, enc, chunks, res, size_left, ret; - if ((ret = ff_reget_buffer(avctx, &c->pic)) < 0) { - av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); + if ((ret = ff_reget_buffer(avctx, &c->pic)) < 0) return ret; - } c->pic.key_frame = 0; c->pic.pict_type = AV_PICTURE_TYPE_P; @@ -332,6 +330,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, src += 2; chunks = AV_RB16(src); src += 2; while(chunks--) { + if(buf_size - (src - buf) < 12) { + av_log(avctx, AV_LOG_ERROR, "Premature end of data!\n"); + return -1; + } dx = AV_RB16(src); src += 2; dy = AV_RB16(src); src += 2; w = AV_RB16(src); src += 2; @@ -341,6 +343,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, size_left = buf_size - (src - buf); switch(enc) { case MAGIC_WMVd: // cursor + if (w*(int64_t)h*c->bpp2 > INT_MAX/2 - 2) { + av_log(avctx, AV_LOG_ERROR, "dimensions too large\n"); + return AVERROR_INVALIDDATA; + } if(size_left < 2 + w * h * c->bpp2 * 2) { av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", 2 + w * h * c->bpp2 * 2, size_left); return -1; @@ -472,6 +478,7 @@ static av_cold int decode_init(AVCodecContext *avctx) c->bpp = avctx->bits_per_coded_sample; c->bpp2 = c->bpp/8; + avcodec_get_frame_defaults(&c->pic); switch(c->bpp){ case 8: |