Hej, On 2012-01-24 07:20:10 +0800, Ronald S. Bultje wrote: > > On Tue, Jan 24, 2012 at 5:00 AM, Janne Grunau <[email protected]> wrote: > > Found by John Villamil <[email protected]> in fuzzed rv20 in mkv files. > > --- > > libavcodec/rv10.c | 10 ++++++++-- > > 1 files changed, 8 insertions(+), 2 deletions(-) > [..] > > + if (offset > buf_size) > > + return AVERROR_INVALIDDATA; > > Shouldn't that be >=? Same for the other.
actually not for the other since for the last two slices offset + size2 == buf_size is true Janne ---8<-- Found by John Villamil <[email protected]> in fuzzed rv20 in mkv files. --- libavcodec/rv10.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 1d78c92..9f2fe77 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -647,9 +647,12 @@ static int rv10_decode_frame(AVCodecContext *avctx, slice_count = avctx->slice_count; for(i=0; i<slice_count; i++){ - int offset= get_slice_offset(avctx, slices_hdr, i); + unsigned offset = get_slice_offset(avctx, slices_hdr, i); int size, size2; + if (offset >= buf_size) + return AVERROR_INVALIDDATA; + if(i+1 == slice_count) size= buf_size - offset; else @@ -660,6 +663,10 @@ static int rv10_decode_frame(AVCodecContext *avctx, else size2= get_slice_offset(avctx, slices_hdr, i+2) - offset; + if (size <= 0 || size2 <= 0 || + offset + FFMAX(size, size2) > buf_size) + return AVERROR_INVALIDDATA; + if(rv10_decode_packet(avctx, buf+offset, size, size2) > 8*size) i++; } -- 1.7.8.4 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
