Revision b89f4fb1 libavcodec/truemotion2.c

View differences:

libavcodec/truemotion2.c
260 260
    return 0;
261 261
}
262 262

  
263
static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id) {
263
static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, int buf_size)
264
{
264 265
    int i;
265 266
    int cur = 0;
266 267
    int skip = 0;
......
274 275
    if(len == 0)
275 276
        return 4;
276 277

  
278
    if (len >= INT_MAX/4-1 || len < 0 || len > buf_size) {
279
        av_log(ctx->avctx, AV_LOG_ERROR, "Error, invalid stream size.\n");
280
        return -1;
281
    }
282

  
277 283
    toks = AV_RB32(buf); buf += 4; cur += 4;
278 284
    if(toks & 1) {
279 285
        len = AV_RB32(buf); buf += 4; cur += 4;
......
313 319
    len = AV_RB32(buf); buf += 4; cur += 4;
314 320
    if(len > 0) {
315 321
        init_get_bits(&ctx->gb, buf, (skip - cur) * 8);
316
        for(i = 0; i < toks; i++)
322
        for(i = 0; i < toks; i++) {
323
            if (get_bits_left(&ctx->gb) <= 0) {
324
                av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of tokens: %i\n", toks);
325
                return -1;
326
            }
317 327
            ctx->tokens[stream_id][i] = tm2_get_token(&ctx->gb, &codes);
328
        }
318 329
    } else {
319 330
        for(i = 0; i < toks; i++)
320 331
            ctx->tokens[stream_id][i] = codes.recode[0];
......
788 799
    }
789 800

  
790 801
    for(i = 0; i < TM2_NUM_STREAMS; i++){
791
        t = tm2_read_stream(l, swbuf + skip, tm2_stream_order[i]);
802
        t = tm2_read_stream(l, swbuf + skip, tm2_stream_order[i], buf_size);
792 803
        if(t == -1){
793 804
            av_free(swbuf);
794 805
            return -1;

Also available in: Unified diff