Merge commit 'd513c6a0ee582d22b6e793286774abbde01f6680' into release/2.2
authorMichael Niedermayer <michaelni@gmx.at>
Mon, 11 Aug 2014 16:50:11 +0000 (18:50 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Mon, 11 Aug 2014 16:50:11 +0000 (18:50 +0200)
* commit 'd513c6a0ee582d22b6e793286774abbde01f6680':
  svq1: do not modify the input packet

Merged-by: Michael Niedermayer <michaelni@gmx.at>
1  2 
libavcodec/svq1dec.c

@@@ -624,11 -630,25 +628,28 @@@ static int svq1_decode_frame(AVCodecCon
  
      /* swap some header bytes (why?) */
      if (s->frame_code != 0x20) {
-         uint32_t *src = (uint32_t *)(buf + 4);
+         uint32_t *src;
+         if (buf_size < 9 * 4) {
+             av_log(avctx, AV_LOG_ERROR, "Input packet too small\n");
+             return AVERROR_INVALIDDATA;
+         }
+         av_fast_malloc(s->pkt_swapped, &s->pkt_swapped_allocated,
+                        buf_size);
+         if (!s->pkt_swapped)
+             return AVERROR(ENOMEM);
+         memcpy(s->pkt_swapped, buf, buf_size);
+         buf = s->pkt_swapped;
+         init_get_bits(&s->gb, buf, buf_size * 8);
+         skip_bits(&s->gb, 22);
+         src = (uint32_t *)(s->pkt_swapped + 4);
  
 +        if (buf_size < 36)
 +            return AVERROR_INVALIDDATA;
 +
          for (i = 0; i < 4; i++)
              src[i] = ((src[i] << 16) | (src[i] >> 16)) ^ src[7 - i];
      }