Re: [libav-devel] [PATCH 1/1] rv30: check block type validity

Tue, 14 Feb 2012 08:36:16 -0800 

On Tue, Feb 14, 2012 at 05:06:38PM +0100, Janne Grunau wrote:
> On 2012-02-14 15:22:27 +0100, Kostya Shishkov wrote:
> > On Tue, Feb 14, 2012 at 03:07:07PM +0100, Janne Grunau wrote:
> > > Prevents crashes with the fuzzed samples from bug 88 and 125 after
> > > "golomb: avoid infinite loop on all-zero input".
> > > ---
> > >  libavcodec/rv34.c |    4 ++--
> > >  1 files changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
> > > index 3e55bd1..e62f30c 100644
> > > --- a/libavcodec/rv34.c
> > > +++ b/libavcodec/rv34.c
> > > @@ -396,8 +396,8 @@ static int rv34_decode_inter_mb_header(RV34DecContext 
> > > *r, int8_t *intra_types)
> > >      int i, t;
> > >
> > >      r->block_type = r->decode_mb_info(r);
> > > -    if(r->block_type == -1)
> > > -        return -1;
> > > +    if (r->block_type < 0 || r->block_type >= RV34_MB_TYPES)
> > > +        return AVERROR_INVALIDDATA;
> > >      s->current_picture_ptr->f.mb_type[mb_pos] = 
> > > rv34_mb_type_to_lavc[r->block_type];
> > >      r->mb_type[mb_pos] = r->block_type;
> > >      if(r->block_type == RV34_MB_SKIP){
> > > --
> >
> > IIRC decode_mb_info() functions in both codecs check for decoded macroblock
> > type being invalid so the problem should be traced deeper.
> 
> indeed, I looked for some reason only at rv40 and was puzzled how this
> could happen. rv30_decode_mb_info() doesn't rejects negative values.
> 
> Janne
> 
> ---8<---
> Prevents crashes with the fuzzed samples from bug 88 and 125 after
> "golomb: avoid infinite loop on all-zero input".
> ---
>  libavcodec/rv30.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c
> index 4828e98..9d8d220 100644
> --- a/libavcodec/rv30.c
> +++ b/libavcodec/rv30.c
> @@ -103,7 +103,7 @@ static int rv30_decode_mb_info(RV34DecContext *r)
>      GetBitContext *gb = &s->gb;
>      int code = svq3_get_ue_golomb(gb);
>  
> -    if(code > 11){
> +    if (code > 11 || code < 0){
>          av_log(s->avctx, AV_LOG_ERROR, "Incorrect MB type code\n");
>          return -1;
>      }
> -- 

It's more logical to write if (code < 0 || code > 11), just change it
and commit (and you can add the space before opening brace too).
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to