On 2012-02-14 15:22:27 +0100, Kostya Shishkov wrote:
> On Tue, Feb 14, 2012 at 03:07:07PM +0100, Janne Grunau wrote:
> > Prevents crashes with the fuzzed samples from bug 88 and 125 after
> > "golomb: avoid infinite loop on all-zero input".
> > ---
> > libavcodec/rv34.c | 4 ++--
> > 1 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
> > index 3e55bd1..e62f30c 100644
> > --- a/libavcodec/rv34.c
> > +++ b/libavcodec/rv34.c
> > @@ -396,8 +396,8 @@ static int rv34_decode_inter_mb_header(RV34DecContext
> > *r, int8_t *intra_types)
> > int i, t;
> >
> > r->block_type = r->decode_mb_info(r);
> > - if(r->block_type == -1)
> > - return -1;
> > + if (r->block_type < 0 || r->block_type >= RV34_MB_TYPES)
> > + return AVERROR_INVALIDDATA;
> > s->current_picture_ptr->f.mb_type[mb_pos] =
> > rv34_mb_type_to_lavc[r->block_type];
> > r->mb_type[mb_pos] = r->block_type;
> > if(r->block_type == RV34_MB_SKIP){
> > --
>
> IIRC decode_mb_info() functions in both codecs check for decoded macroblock
> type being invalid so the problem should be traced deeper.
indeed, I looked for some reason only at rv40 and was puzzled how this
could happen. rv30_decode_mb_info() doesn't rejects negative values.
Janne
---8<---
Prevents crashes with the fuzzed samples from bug 88 and 125 after
"golomb: avoid infinite loop on all-zero input".
---
libavcodec/rv30.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c
index 4828e98..9d8d220 100644
--- a/libavcodec/rv30.c
+++ b/libavcodec/rv30.c
@@ -103,7 +103,7 @@ static int rv30_decode_mb_info(RV34DecContext *r)
GetBitContext *gb = &s->gb;
int code = svq3_get_ue_golomb(gb);
- if(code > 11){
+ if (code > 11 || code < 0){
av_log(s->avctx, AV_LOG_ERROR, "Incorrect MB type code\n");
return -1;
}
--
1.7.8.4
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
