From 7389bb12e6b3ec3660592fde370d9dd4fe816d2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Dec 2012 19:16:19 +0100 Subject: [PATCH] svq1dec: update w/h only if the header is successfully parsed. Prevents inconsistency and out of array accesses. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/svq1dec.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index e231eac48f..27e9606f88 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -505,6 +505,8 @@ static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out) static int svq1_decode_frame_header(GetBitContext *bitbuf, MpegEncContext *s) { int frame_size_code; + int width = s->width; + int height = s->height; skip_bits(bitbuf, 8); /* temporal_reference */ @@ -544,15 +546,15 @@ static int svq1_decode_frame_header(GetBitContext *bitbuf, MpegEncContext *s) if (frame_size_code == 7) { /* load width, height (12 bits each) */ - s->width = get_bits(bitbuf, 12); - s->height = get_bits(bitbuf, 12); + width = get_bits(bitbuf, 12); + height = get_bits(bitbuf, 12); - if (!s->width || !s->height) + if (!width || !height) return AVERROR_INVALIDDATA; } else { /* get width, height from table */ - s->width = ff_svq1_frame_size_table[frame_size_code].width; - s->height = ff_svq1_frame_size_table[frame_size_code].height; + width = ff_svq1_frame_size_table[frame_size_code].width; + height = ff_svq1_frame_size_table[frame_size_code].height; } } @@ -575,6 +577,8 @@ static int svq1_decode_frame_header(GetBitContext *bitbuf, MpegEncContext *s) skip_bits(bitbuf, 8); } + s->width = width; + s->height = height; return 0; }