From fe5b6b4587dad27e7f75ff02499b07a1b6458602 Mon Sep 17 00:00:00 2001
From: alexc <alexc@9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
Date: Thu, 19 Feb 2009 22:56:35 +0000
Subject: [PATCH] Some buffer checks for indeo3

git-svn-id: file:///var/local/repositories/ffmpeg/trunk@17462 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
---
 libavcodec/indeo3.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 6173c6f2e..e1f74da88 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -975,7 +975,7 @@ static av_cold int indeo3_decode_init(AVCodecContext *avctx)
     return ret;
 }
 
-static unsigned long iv_decode_frame(Indeo3DecodeContext *s,
+static int iv_decode_frame(Indeo3DecodeContext *s,
                                      const uint8_t *buf, int buf_size)
 {
     unsigned int image_width, image_height,
@@ -1006,6 +1006,11 @@ static unsigned long iv_decode_frame(Indeo3DecodeContext *s,
     hdr_pos = buf_pos;
     if(data_size == 0x80) return 4;
 
+    if(FFMAX3(y_offset, v_offset, u_offset) >= buf_size-16) {
+        av_log(s->avctx, AV_LOG_ERROR, "y/u/v offset outside buffer\n");
+        return -1;
+    }
+
     if(flags & 0x200) {
         s->cur_frame = s->iv_frame + 1;
         s->ref_frame = s->iv_frame;
@@ -1016,6 +1021,10 @@ static unsigned long iv_decode_frame(Indeo3DecodeContext *s,
 
     buf_pos = buf + 16 + y_offset;
     mc_vector_count = bytestream_get_le32(&buf_pos);
+    if(2LL*mc_vector_count >= buf_size-16-y_offset) {
+        av_log(s->avctx, AV_LOG_ERROR, "mc_vector_count too large\n");
+        return -1;
+    }
 
     iv_Decode_Chunk(s, s->cur_frame->Ybuf, s->ref_frame->Ybuf, image_width,
                     image_height, buf_pos + mc_vector_count * 2, cb_offset, hdr_pos, buf_pos,
@@ -1026,6 +1035,10 @@ static unsigned long iv_decode_frame(Indeo3DecodeContext *s,
 
         buf_pos = buf + 16 + v_offset;
         mc_vector_count = bytestream_get_le32(&buf_pos);
+        if(2LL*mc_vector_count >= buf_size-16-v_offset) {
+            av_log(s->avctx, AV_LOG_ERROR, "mc_vector_count too large\n");
+            return -1;
+        }
 
         iv_Decode_Chunk(s, s->cur_frame->Vbuf, s->ref_frame->Vbuf, chroma_width,
                 chroma_height, buf_pos + mc_vector_count * 2, cb_offset, hdr_pos, buf_pos,
@@ -1033,6 +1046,10 @@ static unsigned long iv_decode_frame(Indeo3DecodeContext *s,
 
         buf_pos = buf + 16 + u_offset;
         mc_vector_count = bytestream_get_le32(&buf_pos);
+        if(2LL*mc_vector_count >= buf_size-16-u_offset) {
+            av_log(s->avctx, AV_LOG_ERROR, "mc_vector_count too large\n");
+            return -1;
+        }
 
         iv_Decode_Chunk(s, s->cur_frame->Ubuf, s->ref_frame->Ubuf, chroma_width,
                 chroma_height, buf_pos + mc_vector_count * 2, cb_offset, hdr_pos, buf_pos,
@@ -1051,7 +1068,8 @@ static int indeo3_decode_frame(AVCodecContext *avctx,
     uint8_t *src, *dest;
     int y;
 
-    iv_decode_frame(s, buf, buf_size);
+    if (iv_decode_frame(s, buf, buf_size) < 0)
+        return -1;
 
     if(s->frame.data[0])
         avctx->release_buffer(avctx, &s->frame);
-- 
2.39.2