← Back to branch summary

~ubuntu-branches/ubuntu/lucid/ffmpeg/lucid-security

« back to all changes in this revision

Viewing changes to libavcodec/indeo3.c

  • Committer: Bazaar Package Importer
  • Author(s): Reinhard Tartler
  • Date: 2009-03-13 09:18:28 UTC
  • mfrom: (1.1.8 upstream)
  • Revision ID: james.westby@ubuntu.com-20090313091828-n4ktby5eca487uhv
Tags: 3:0.svn20090303-1ubuntu1+unstripped1
merge from ubuntu.jaunty branch

Show diffs side-by-side

added added

removed removed

Lines of Context:
libavcodec/indeo3.c
975
975
    return ret;
976
976
}
977
977
 
978
 
static unsigned long iv_decode_frame(Indeo3DecodeContext *s,
979
 
                                     const uint8_t *buf, int buf_size)
 
978
static int iv_decode_frame(Indeo3DecodeContext *s,
 
979
                           const uint8_t *buf, int buf_size)
980
980
{
981
981
    unsigned int image_width, image_height,
982
982
                 chroma_width, chroma_height;
1006
1006
    hdr_pos = buf_pos;
1007
1007
    if(data_size == 0x80) return 4;
1008
1008
 
 
1009
    if(FFMAX3(y_offset, v_offset, u_offset) >= buf_size-16) {
 
1010
        av_log(s->avctx, AV_LOG_ERROR, "y/u/v offset outside buffer\n");
 
1011
        return -1;
 
1012
    }
 
1013
 
1009
1014
    if(flags & 0x200) {
1010
1015
        s->cur_frame = s->iv_frame + 1;
1011
1016
        s->ref_frame = s->iv_frame;
1016
1021
 
1017
1022
    buf_pos = buf + 16 + y_offset;
1018
1023
    mc_vector_count = bytestream_get_le32(&buf_pos);
 
1024
    if(2LL*mc_vector_count >= buf_size-16-y_offset) {
 
1025
        av_log(s->avctx, AV_LOG_ERROR, "mc_vector_count too large\n");
 
1026
        return -1;
 
1027
    }
1019
1028
 
1020
1029
    iv_Decode_Chunk(s, s->cur_frame->Ybuf, s->ref_frame->Ybuf, image_width,
1021
1030
                    image_height, buf_pos + mc_vector_count * 2, cb_offset, hdr_pos, buf_pos,
1026
1035
 
1027
1036
        buf_pos = buf + 16 + v_offset;
1028
1037
        mc_vector_count = bytestream_get_le32(&buf_pos);
 
1038
        if(2LL*mc_vector_count >= buf_size-16-v_offset) {
 
1039
            av_log(s->avctx, AV_LOG_ERROR, "mc_vector_count too large\n");
 
1040
            return -1;
 
1041
        }
1029
1042
 
1030
1043
        iv_Decode_Chunk(s, s->cur_frame->Vbuf, s->ref_frame->Vbuf, chroma_width,
1031
1044
                chroma_height, buf_pos + mc_vector_count * 2, cb_offset, hdr_pos, buf_pos,
1033
1046
 
1034
1047
        buf_pos = buf + 16 + u_offset;
1035
1048
        mc_vector_count = bytestream_get_le32(&buf_pos);
 
1049
        if(2LL*mc_vector_count >= buf_size-16-u_offset) {
 
1050
            av_log(s->avctx, AV_LOG_ERROR, "mc_vector_count too large\n");
 
1051
            return -1;
 
1052
        }
1036
1053
 
1037
1054
        iv_Decode_Chunk(s, s->cur_frame->Ubuf, s->ref_frame->Ubuf, chroma_width,
1038
1055
                chroma_height, buf_pos + mc_vector_count * 2, cb_offset, hdr_pos, buf_pos,
1051
1068
    uint8_t *src, *dest;
1052
1069
    int y;
1053
1070
 
1054
 
    iv_decode_frame(s, buf, buf_size);
 
1071
    if (iv_decode_frame(s, buf, buf_size) < 0)
 
1072
        return -1;
1055
1073
 
1056
1074
    if(s->frame.data[0])
1057
1075
        avctx->release_buffer(avctx, &s->frame);