Browse code
Prevent block size from inreasing in the shorten decoder.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b399cbfba5d901608c18e1a2d48a24c30541a634)
(cherry picked from commit 55a96a984ec65736475a8577a158abc5c48fd50a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Laurent Aimar authored on 2011/10/01 07:43:05Showing 1 changed files
| ... | ... |
@@ -469,9 +469,15 @@ static int shorten_decode_frame(AVCodecContext *avctx, |
| 469 | 469 |
case FN_BITSHIFT: |
| 470 | 470 |
s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE); |
| 471 | 471 |
break; |
| 472 |
- case FN_BLOCKSIZE: |
|
| 473 |
- s->blocksize = get_uint(s, av_log2(s->blocksize)); |
|
| 472 |
+ case FN_BLOCKSIZE: {
|
|
| 473 |
+ int blocksize = get_uint(s, av_log2(s->blocksize)); |
|
| 474 |
+ if (blocksize > s->blocksize) {
|
|
| 475 |
+ av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n"); |
|
| 476 |
+ return AVERROR_PATCHWELCOME; |
|
| 477 |
+ } |
|
| 478 |
+ s->blocksize = blocksize; |
|
| 474 | 479 |
break; |
| 480 |
+ } |
|
| 475 | 481 |
case FN_QUIT: |
| 476 | 482 |
*data_size = 0; |
| 477 | 483 |
return buf_size; |