Found by John Villamil <[email protected]> in fuzzed rv20 in mkv files.
---
libavcodec/rv10.c | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index 1d78c92..0098ff5 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -647,8 +647,11 @@ static int rv10_decode_frame(AVCodecContext *avctx,
slice_count = avctx->slice_count;
for(i=0; i<slice_count; i++){
- int offset= get_slice_offset(avctx, slices_hdr, i);
- int size, size2;
+ unsigned offset = get_slice_offset(avctx, slices_hdr, i);
+ unsigned size, size2;
+
+ if (offset > buf_size)
+ return AVERROR_INVALIDDATA;
if(i+1 == slice_count)
size= buf_size - offset;
@@ -660,6 +663,9 @@ static int rv10_decode_frame(AVCodecContext *avctx,
else
size2= get_slice_offset(avctx, slices_hdr, i+2) - offset;
+ if (offset + FFMAX(size, size2) > buf_size)
+ return AVERROR_INVALIDDATA;
+
if(rv10_decode_packet(avctx, buf+offset, size, size2) > 8*size)
i++;
}
--
1.7.8.4
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
