This limit is possibly not reachable due to other restrictions on buffers but
the decoder run table is too small beyond this, so explicitly check for it.
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavcodec/ffv1dec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 365f8b77a7..7731c15c87 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -187,6 +187,9 @@ static int decode_slice_header(const FFV1Context *f,
FFV1Context *fs)
|| (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height)
return -1;
+ if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23))
+ return AVERROR_INVALIDDATA;
+
for (i = 0; i < f->plane_count; i++) {
PlaneContext * const p = &fs->plane[i];
int idx = get_symbol(c, state, 0);
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
