From d509c743b78da198af385fea362b632292cd00ad Mon Sep 17 00:00:00 2001
From: Baptiste Coudurier <baptiste.coudurier@gmail.com>
Date: Sun, 14 Jun 2009 22:34:28 +0000
Subject: [PATCH] check if frame size matches old sys and assumes corrupted
 input, fixes #1192

Originally committed as revision 19192 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/dv.c     | 2 +-
 libavcodec/dvdata.h | 8 +++++++-
 libavformat/dv.c    | 4 ++--
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dv.c b/libavcodec/dv.c
index d47929867fb..7bc04789f9c 100644
--- a/libavcodec/dv.c
+++ b/libavcodec/dv.c
@@ -1119,7 +1119,7 @@ static int dvvideo_decode_frame(AVCodecContext *avctx,
     int buf_size = avpkt->size;
     DVVideoContext *s = avctx->priv_data;
 
-    s->sys = dv_frame_profile(buf);
+    s->sys = dv_frame_profile(s->sys, buf, buf_size);
     if (!s->sys || buf_size < s->sys->frame_size || dv_init_dynamic_tables(s->sys))
         return -1; /* NOTE: we only accept several full frames */
 
diff --git a/libavcodec/dvdata.h b/libavcodec/dvdata.h
index 21023cfe59e..a32b863c5d7 100644
--- a/libavcodec/dvdata.h
+++ b/libavcodec/dvdata.h
@@ -698,7 +698,9 @@ enum dv_pack_type {
  */
 #define DV_MAX_BPM 8
 
-static inline const DVprofile* dv_frame_profile(const uint8_t* frame)
+static inline
+const DVprofile* dv_frame_profile(const DVprofile *sys,
+                                  const uint8_t* frame, unsigned buf_size)
 {
    int i;
 
@@ -715,6 +717,10 @@ static inline const DVprofile* dv_frame_profile(const uint8_t* frame)
        if (dsf == dv_profiles[i].dsf && stype == dv_profiles[i].video_stype)
            return &dv_profiles[i];
 
+   /* check if old sys matches and assumes corrupted input */
+   if (sys && buf_size == sys->frame_size)
+       return sys;
+
    return NULL;
 }
 
diff --git a/libavformat/dv.c b/libavformat/dv.c
index 820c3b5cec8..28d44ee54fb 100644
--- a/libavformat/dv.c
+++ b/libavformat/dv.c
@@ -322,7 +322,7 @@ int dv_produce_packet(DVDemuxContext *c, AVPacket *pkt,
     uint8_t *ppcm[4] = {0};
 
     if (buf_size < DV_PROFILE_BYTES ||
-        !(c->sys = dv_frame_profile(buf)) ||
+        !(c->sys = dv_frame_profile(c->sys, buf, buf_size)) ||
         buf_size < c->sys->frame_size) {
           return -1;   /* Broken frame, or not enough data */
     }
@@ -421,7 +421,7 @@ static int dv_read_header(AVFormatContext *s,
         url_fseek(s->pb, -DV_PROFILE_BYTES, SEEK_CUR) < 0)
         return AVERROR(EIO);
 
-    c->dv_demux->sys = dv_frame_profile(c->buf);
+    c->dv_demux->sys = dv_frame_profile(c->dv_demux->sys, c->buf, DV_PROFILE_BYTES);
     if (!c->dv_demux->sys) {
         av_log(s, AV_LOG_ERROR, "Can't determine profile of DV input stream.\n");
         return -1;
-- 
GitLab