highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rv34: Check for invalid slices offsets

Browse Source 
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit fe476e5a9b5a1e56e53f1fa62374778fa00ec1fd)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
This commit is contained in:
Laurent Aimar 2011-09-21 20:46:31 +02:00 committed by Reinhard Tartler
parent 047c6ad752
commit 000bd5209f
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
libavcodec/rv34.c
View File

@ -1466,13 +1466,18 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
else
size= get_slice_offset(avctx, slices_hdr, i+1) - offset;
if(offset < 0 || offset > buf_size || size < 0){
if(offset < 0 || offset > buf_size){
av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
break;
}
r->si.end = s->mb_width * s->mb_height;
if(i+1 < slice_count){
if (get_slice_offset(avctx, slices_hdr, i+1) < 0 ||
get_slice_offset(avctx, slices_hdr, i+1) > buf_size) {
av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
break;
}
init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8);
if(r->parse_slice_header(r, &r->s.gb, &si) < 0){
if(i+2 < slice_count)
@ -1482,6 +1487,10 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
}else
r->si.end = si.start;
}
if (size < 0 || size > buf_size - offset) {
av_log(avctx, AV_LOG_ERROR, "Slice size is invalid\n");
break;
}
last = rv34_decode_slice(r, r->si.end, buf + offset, size);
s->mb_num_left = r->s.mb_x + r->s.mb_y*r->s.mb_width - r->si.start;
if(last)