Traneptora/FFmpeg
1
Fork 0
forked from FFmpeg/FFmpeg
Code Pull requests Activity

rv10: verify slice offsets against buffer size

Browse source 
Found by John Villamil <johnv@matasano.com> in fuzzed rv20 in mkv files.
This commit is contained in:
Janne Grunau 2012-01-23 20:57:04 +01:00
parent 0fec2cb15c
commit 1d3a9e63e0
1 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
libavcodec/rv10.c
View file

@ -647,9 +647,12 @@ static int rv10_decode_frame(AVCodecContext *avctx,
slice_count = avctx->slice_count;
for(i=0; i<slice_count; i++){
int offset= get_slice_offset(avctx, slices_hdr, i);
unsigned offset = get_slice_offset(avctx, slices_hdr, i);
int size, size2;
if (offset >= buf_size)
return AVERROR_INVALIDDATA;
if(i+1 == slice_count)
size= buf_size - offset;
else
@ -660,6 +663,10 @@ static int rv10_decode_frame(AVCodecContext *avctx,
else
size2= get_slice_offset(avctx, slices_hdr, i+2) - offset;
if (size <= 0 || size2 <= 0 ||
offset + FFMAX(size, size2) > buf_size)
return AVERROR_INVALIDDATA;
if(rv10_decode_packet(avctx, buf+offset, size, size2) > 8*size)
i++;
}