On Tue, Feb 14, 2012 at 03:07:07PM +0100, Janne Grunau wrote:
> Prevents crashes with the fuzzed samples from bug 88 and 125 after
> "golomb: avoid infinite loop on all-zero input".
> ---
> libavcodec/rv34.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
> index 3e55bd1..e62f30c 100644
> --- a/libavcodec/rv34.c
> +++ b/libavcodec/rv34.c
> @@ -396,8 +396,8 @@ static int rv34_decode_inter_mb_header(RV34DecContext *r,
> int8_t *intra_types)
> int i, t;
>
> r->block_type = r->decode_mb_info(r);
> - if(r->block_type == -1)
> - return -1;
> + if (r->block_type < 0 || r->block_type >= RV34_MB_TYPES)
> + return AVERROR_INVALIDDATA;
> s->current_picture_ptr->f.mb_type[mb_pos] =
> rv34_mb_type_to_lavc[r->block_type];
> r->mb_type[mb_pos] = r->block_type;
> if(r->block_type == RV34_MB_SKIP){
> --
IIRC decode_mb_info() functions in both codecs check for decoded macroblock
type being invalid so the problem should be traced deeper.
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
