Module: libav Branch: master Commit: 1d3a9e63e0dcbcba633d939cdfb79e977259be13
Author: Janne Grunau <[email protected]> Committer: Janne Grunau <[email protected]> Date: Mon Jan 23 20:57:04 2012 +0100 rv10: verify slice offsets against buffer size Found by John Villamil <[email protected]> in fuzzed rv20 in mkv files. --- libavcodec/rv10.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 1d78c92..9f2fe77 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -647,9 +647,12 @@ static int rv10_decode_frame(AVCodecContext *avctx, slice_count = avctx->slice_count; for(i=0; i<slice_count; i++){ - int offset= get_slice_offset(avctx, slices_hdr, i); + unsigned offset = get_slice_offset(avctx, slices_hdr, i); int size, size2; + if (offset >= buf_size) + return AVERROR_INVALIDDATA; + if(i+1 == slice_count) size= buf_size - offset; else @@ -660,6 +663,10 @@ static int rv10_decode_frame(AVCodecContext *avctx, else size2= get_slice_offset(avctx, slices_hdr, i+2) - offset; + if (size <= 0 || size2 <= 0 || + offset + FFMAX(size, size2) > buf_size) + return AVERROR_INVALIDDATA; + if(rv10_decode_packet(avctx, buf+offset, size, size2) > 8*size) i++; } _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
