RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

svq1dec: update w/h only if the header is successfully parsed. 

Prevents inconsistency and out of array accesses.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2012-12-01 19:16:19 +01:00
parent c9ff32215b
commit 7389bb12e6
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
libavcodec/svq1dec.c
View File

@ -505,6 +505,8 @@ static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out)
static int svq1_decode_frame_header(GetBitContext *bitbuf, MpegEncContext *s)
{
int frame_size_code;
int width = s->width;
int height = s->height;
skip_bits(bitbuf, 8); /* temporal_reference */
@ -544,15 +546,15 @@ static int svq1_decode_frame_header(GetBitContext *bitbuf, MpegEncContext *s)
if (frame_size_code == 7) {
/* load width, height (12 bits each) */
s->width = get_bits(bitbuf, 12);
s->height = get_bits(bitbuf, 12);
width = get_bits(bitbuf, 12);
height = get_bits(bitbuf, 12);
if (!s->width || !s->height)
if (!width || !height)
return AVERROR_INVALIDDATA;
} else {
/* get width, height from table */
s->width = ff_svq1_frame_size_table[frame_size_code].width;
s->height = ff_svq1_frame_size_table[frame_size_code].height;
width = ff_svq1_frame_size_table[frame_size_code].width;
height = ff_svq1_frame_size_table[frame_size_code].height;
}
}
@ -575,6 +577,8 @@ static int svq1_decode_frame_header(GetBitContext *bitbuf, MpegEncContext *s)
skip_bits(bitbuf, 8);
}
s->width = width;
s->height = height;
return 0;
}