|
|
|
@@ -440,7 +440,7 @@ static int decode_p_frame(FourXContext *f, AVFrame *frame, |
|
|
|
if (f->version > 1) { |
|
|
|
extra = 20; |
|
|
|
if (length < extra) |
|
|
|
return -1; |
|
|
|
return AVERROR_INVALIDDATA; |
|
|
|
bitstream_size = AV_RL32(buf + 8); |
|
|
|
wordstream_size = AV_RL32(buf + 12); |
|
|
|
bytestream_size = AV_RL32(buf + 16); |
|
|
|
@@ -827,27 +827,33 @@ static int decode_frame(AVCodecContext *avctx, void *data, |
|
|
|
AVFrame *picture = data; |
|
|
|
int i, frame_4cc, frame_size, ret; |
|
|
|
|
|
|
|
if (buf_size < 12) |
|
|
|
if (buf_size < 20) |
|
|
|
return AVERROR_INVALIDDATA; |
|
|
|
frame_4cc = AV_RL32(buf); |
|
|
|
if (buf_size != AV_RL32(buf + 4) + 8 || buf_size < 20) |
|
|
|
|
|
|
|
if (buf_size < AV_RL32(buf + 4) + 8) { |
|
|
|
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", |
|
|
|
buf_size, AV_RL32(buf + 4)); |
|
|
|
return AVERROR_INVALIDDATA; |
|
|
|
} |
|
|
|
|
|
|
|
frame_4cc = AV_RL32(buf); |
|
|
|
|
|
|
|
if (frame_4cc == AV_RL32("cfrm")) { |
|
|
|
int free_index = -1; |
|
|
|
int id, whole_size; |
|
|
|
const int data_size = buf_size - 20; |
|
|
|
const int id = AV_RL32(buf + 12); |
|
|
|
const int whole_size = AV_RL32(buf + 16); |
|
|
|
CFrameBuffer *cfrm; |
|
|
|
|
|
|
|
if (data_size < 0 || whole_size < 0) { |
|
|
|
av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n"); |
|
|
|
if (f->version <= 1) { |
|
|
|
av_log(f->avctx, AV_LOG_ERROR, "cfrm in version %d\n", f->version); |
|
|
|
return AVERROR_INVALIDDATA; |
|
|
|
} |
|
|
|
|
|
|
|
if (f->version <= 1) { |
|
|
|
av_log(f->avctx, AV_LOG_ERROR, "cfrm in version %d\n", f->version); |
|
|
|
id = AV_RL32(buf + 12); |
|
|
|
whole_size = AV_RL32(buf + 16); |
|
|
|
|
|
|
|
if (data_size < 0 || whole_size < 0) { |
|
|
|
av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n"); |
|
|
|
return AVERROR_INVALIDDATA; |
|
|
|
} |
|
|
|
|
|
|
|
|
Michael Niedermayer
12 years ago