Module: libav Branch: release/0.7 Commit: 000bd5209f91bbdaf08a29271b6b5bd8c6058c3e
Author: Laurent Aimar <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Wed Sep 21 20:46:31 2011 +0200 rv34: Check for invalid slices offsets Signed-off-by: Martin Storsjö <[email protected]> (cherry picked from commit fe476e5a9b5a1e56e53f1fa62374778fa00ec1fd) Signed-off-by: Anton Khirnov <[email protected]> --- libavcodec/rv34.c | 11 ++++++++++- 1 files changed, 10 insertions(+), 1 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 70c35ef..cc1cae2 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1466,13 +1466,18 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, else size= get_slice_offset(avctx, slices_hdr, i+1) - offset; - if(offset < 0 || offset > buf_size || size < 0){ + if(offset < 0 || offset > buf_size){ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } r->si.end = s->mb_width * s->mb_height; if(i+1 < slice_count){ + if (get_slice_offset(avctx, slices_hdr, i+1) < 0 || + get_slice_offset(avctx, slices_hdr, i+1) > buf_size) { + av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); + break; + } init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0){ if(i+2 < slice_count) @@ -1482,6 +1487,10 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, }else r->si.end = si.start; } + if (size < 0 || size > buf_size - offset) { + av_log(avctx, AV_LOG_ERROR, "Slice size is invalid\n"); + break; + } last = rv34_decode_slice(r, r->si.end, buf + offset, size); s->mb_num_left = r->s.mb_x + r->s.mb_y*r->s.mb_width - r->si.start; if(last) _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
