1 files changed, 37 insertions, 19 deletions

diff --git a/libmpeg2/slice.c b/libmpeg2/slice.c
index 4d778a7026..99fcf95c22 100644
--- a/libmpeg2/slice.c
+++ b/libmpeg2/slice.c
@@ -450,7 +450,7 @@ static void get_intra_block_B14 (mpeg2_decoder_t * const decoder,
 	break;	/* illegal, check needed to avoid buffer overflow */
     }
     dest[63] ^= mismatch & 16;
-    DUMPBITS (bit_buf, bits, 2);	/* dump end of block code */
+    DUMPBITS (bit_buf, bits, tab->len);	/* dump end of block code */
     decoder->bitstream_buf = bit_buf;
     decoder->bitstream_bits = bits;
     decoder->bitstream_ptr = bit_ptr;
@@ -508,7 +508,7 @@ static void get_intra_block_B15 (mpeg2_decoder_t * const decoder,
 	    } else {
 
 		/* end of block. I commented out this code because if we */
-		/* dont exit here we will still exit at the later test :) */
+		/* do not exit here we will still exit at the later test :) */
 
 		/* if (i >= 128) break;	*/	/* end of block */
 
@@ -560,7 +560,7 @@ static void get_intra_block_B15 (mpeg2_decoder_t * const decoder,
 	break;	/* illegal, check needed to avoid buffer overflow */
     }
     dest[63] ^= mismatch & 16;
-    DUMPBITS (bit_buf, bits, 4);	/* dump end of block code */
+    DUMPBITS (bit_buf, bits, tab->len);	/* dump end of block code */
     decoder->bitstream_buf = bit_buf;
     decoder->bitstream_bits = bits;
     decoder->bitstream_ptr = bit_ptr;
@@ -681,7 +681,7 @@ static int get_non_intra_block (mpeg2_decoder_t * const decoder,
 	break;	/* illegal, check needed to avoid buffer overflow */
     }
     dest[63] ^= mismatch & 16;
-    DUMPBITS (bit_buf, bits, 2);	/* dump end of block code */
+    DUMPBITS (bit_buf, bits, tab->len);	/* dump end of block code */
     decoder->bitstream_buf = bit_buf;
     decoder->bitstream_bits = bits;
     decoder->bitstream_ptr = bit_ptr;
@@ -799,7 +799,7 @@ static void get_mpeg1_intra_block (mpeg2_decoder_t * const decoder)
 	}
 	break;	/* illegal, check needed to avoid buffer overflow */
     }
-    DUMPBITS (bit_buf, bits, 2);	/* dump end of block code */
+    DUMPBITS (bit_buf, bits, tab->len);	/* dump end of block code */
     decoder->bitstream_buf = bit_buf;
     decoder->bitstream_bits = bits;
     decoder->bitstream_ptr = bit_ptr;
@@ -926,7 +926,7 @@ static int get_mpeg1_non_intra_block (mpeg2_decoder_t * const decoder)
 	}
 	break;	/* illegal, check needed to avoid buffer overflow */
     }
-    DUMPBITS (bit_buf, bits, 2);	/* dump end of block code */
+    DUMPBITS (bit_buf, bits, tab->len);	/* dump end of block code */
     decoder->bitstream_buf = bit_buf;
     decoder->bitstream_bits = bits;
     decoder->bitstream_ptr = bit_ptr;
@@ -1569,18 +1569,24 @@ do {								\
 
 #define NEXT_MACROBLOCK							\
 do {									\
-    if(decoder->quant_store) {                                          \
-       if (decoder->picture_structure == TOP_FIELD)                     \
-        decoder->quant_store[2*decoder->quant_stride*(decoder->v_offset>>4) \
-                    +(decoder->offset>>4)] = decoder->quantizer_scale;  \
-       else if (decoder->picture_structure == BOTTOM_FIELD)             \
-        decoder->quant_store[2*decoder->quant_stride*(decoder->v_offset>>4) \
-	            + decoder->quant_stride                             \
-                    +(decoder->offset>>4)] = decoder->quantizer_scale;  \
-       else                                                             \
-        decoder->quant_store[decoder->quant_stride*(decoder->v_offset>>4) \
-                    +(decoder->offset>>4)] = decoder->quantizer_scale;  \
-    }                                                                   \
+    if(decoder->quant_store) {						\
+	if (decoder->picture_structure == TOP_FIELD)			\
+	    decoder->quant_store[2 * decoder->quant_stride		\
+				 * (decoder->v_offset >> 4)		\
+				 + (decoder->offset >> 4)]		\
+		= decoder->quantizer_scale;				\
+	else if (decoder->picture_structure == BOTTOM_FIELD)		\
+	    decoder->quant_store[2 * decoder->quant_stride		\
+				 * (decoder->v_offset >> 4)		\
+				 + decoder->quant_stride		\
+				 + (decoder->offset >> 4)]		\
+		= decoder->quantizer_scale;				\
+	else								\
+	    decoder->quant_store[decoder->quant_stride			\
+				 * (decoder->v_offset >> 4)		\
+				 + (decoder->offset >> 4)]		\
+		= decoder->quantizer_scale;				\
+    }									\
     decoder->offset += 16;						\
     if (decoder->offset == decoder->width) {				\
 	do { /* just so we can use the break statement */		\
@@ -1604,6 +1610,10 @@ do {									\
     }									\
 } while (0)
 
+/**
+ * Dummy motion decoding function, to avoid calling NULL in
+ * case of malformed streams.
+ */
 static void motion_dummy (mpeg2_decoder_t * const decoder,
                           motion_t * const motion,
                           mpeg2_mc_fct * const * const table)
@@ -1668,7 +1678,7 @@ void mpeg2_init_fbuf (mpeg2_decoder_t * decoder, uint8_t * current_fbuf[3],
     if (decoder->mpeg1) {
 	decoder->motion_parser[0] = motion_zero_420;
         decoder->motion_parser[MC_FIELD] = motion_dummy;
-	decoder->motion_parser[MC_FRAME] = motion_mp1;
+ 	decoder->motion_parser[MC_FRAME] = motion_mp1;
         decoder->motion_parser[MC_DMV] = motion_dummy;
 	decoder->motion_parser[4] = motion_reuse_420;
     } else if (decoder->picture_structure == FRAME_PICTURE) {
@@ -1894,6 +1904,14 @@ void mpeg2_slice (mpeg2_decoder_t * const decoder, const int code,
 
 	    motion_parser_t * parser;
 
+	    if (   ((macroblock_modes >> MOTION_TYPE_SHIFT) < 0)
+                || ((macroblock_modes >> MOTION_TYPE_SHIFT) >=
+                    (int)(sizeof(decoder->motion_parser) 
+                          / sizeof(decoder->motion_parser[0])))
+	       ) {
+		break; // Illegal !
+	    }
+
 	    parser =
 		decoder->motion_parser[macroblock_modes >> MOTION_TYPE_SHIFT];
 	    MOTION_CALL (parser, macroblock_modes);