@@ -182,11 +182,22 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs)
fs->slice_y /= f->num_v_slices;
fs->slice_width = fs->slice_width /f->num_h_slices - fs->slice_x;
fs->slice_height = fs->slice_height/f->num_v_slices - fs->slice_y;
- if ((unsigned)fs->slice_width > f->width || (unsigned)fs->slice_height > f->height)
+ if ((unsigned)fs->slice_width > f->width) {
+ av_log(f->avctx, AV_LOG_ERROR, "slice_width %d out of range\n", (unsigned)fs->slice_width);
return -1;
- if ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width > f->width
- || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height)
+ }
+ if ((unsigned)fs->slice_height > f->height) {
+ av_log(f->avctx, AV_LOG_ERROR, "slice_height %d out of range\n", (unsigned)fs->slice_height);
+ return -1;
+ }
+ if ((unsigned)fs->slice_x + (uint64_t)fs->slice_width > f->width) {
+ av_log(f->avctx, AV_LOG_ERROR, "slice_x+slice_width %lld out of range\n", (unsigned)fs->slice_x + (uint64_t)fs->slice_width, (unsigned)fs->slice_y);
return -1;
+ }
+ if ((unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) {
+ av_log(f->avctx, AV_LOG_ERROR, "slice_y+slice_height %lld out of range\n", (unsigned)fs->slice_y + (uint64_t)fs->slice_height);
+ return -1;
+ }
for (i = 0; i < f->plane_count; i++) {
PlaneContext * const p = &fs->plane[i];
@@ -432,8 +443,10 @@ static int read_extra_header(FFV1Context *f)
if (f->version > 2) {
c->bytestream_end -= 4;
f->micro_version = get_symbol(c, state, 0);
- if (f->micro_version < 0)
+ if (f->micro_version < 0) {
+ av_log(f->avctx, AV_LOG_ERROR, "Invalid micro_version %i in global header\n", f->micro_version);
return AVERROR_INVALIDDATA;
+ }
}
f->ac = get_symbol(c, state, 0);
@@ -758,12 +771,22 @@ static int read_header(FFV1Context *f)
fs->slice_y /= f->num_v_slices;
fs->slice_width = fs->slice_width / f->num_h_slices - fs->slice_x;
fs->slice_height = fs->slice_height / f->num_v_slices - fs->slice_y;
- if ((unsigned)fs->slice_width > f->width ||
- (unsigned)fs->slice_height > f->height)
+ if ((unsigned)fs->slice_width > f->width) {
+ av_log(f->avctx, AV_LOG_ERROR, "slice_width %d out of range\n", (unsigned)fs->slice_width);
return AVERROR_INVALIDDATA;
- if ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width > f->width
- || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height)
+ }
+ if ((unsigned)fs->slice_height > f->height) {
+ av_log(f->avctx, AV_LOG_ERROR, "slice_height %d out of range\n", (unsigned)fs->slice_height);
+ return AVERROR_INVALIDDATA;
+ }
+ if ((unsigned)fs->slice_x + (uint64_t)fs->slice_width > f->width) {
+ av_log(f->avctx, AV_LOG_ERROR, "slice_x+slice_width %lld out of range\n", (unsigned)fs->slice_x + (uint64_t)fs->slice_width, (unsigned)fs->slice_y);
return AVERROR_INVALIDDATA;
+ }
+ if ((unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) {
+ av_log(f->avctx, AV_LOG_ERROR, "slice_y+slice_height %lld out of range\n", (unsigned)fs->slice_y + (uint64_t)fs->slice_height);
+ return AVERROR_INVALIDDATA;
+ }
}
for (i = 0; i < f->plane_count; i++) {