1
From 2bbb142a140173e1870017b66c439f4d430a6f67 Mon Sep 17 00:00:00 2001
2
From: Laurent Aimar <fenrir@videolan.org>
3
Date: Mon, 19 Sep 2011 22:48:53 +0200
4
Subject: [PATCH 67/70] rv34: Check for invalid slice offsets
6
Content-Type: text/plain; charset=UTF-8
7
Content-Transfer-Encoding: 8bit
9
Signed-off-by: Martin Storsjö <martin@martin.st>
10
(cherry picked from commit 4cc7732386eb36661ed22d1200339b38a5fa60bc)
12
Signed-off-by: Anton Khirnov <anton@khirnov.net>
14
libavcodec/rv34.c | 9 +++++----
15
1 files changed, 5 insertions(+), 4 deletions(-)
17
diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
18
index 87fca5c..70c35ef 100644
19
--- a/libavcodec/rv34.c
20
+++ b/libavcodec/rv34.c
21
@@ -1441,8 +1441,9 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
22
slice_count = avctx->slice_count;
24
//parse first slice header to check whether this frame can be decoded
25
- if(get_slice_offset(avctx, slices_hdr, 0) > buf_size){
26
- av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n");
27
+ if(get_slice_offset(avctx, slices_hdr, 0) < 0 ||
28
+ get_slice_offset(avctx, slices_hdr, 0) > buf_size){
29
+ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
32
init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8);
33
@@ -1465,8 +1466,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
35
size= get_slice_offset(avctx, slices_hdr, i+1) - offset;
37
- if(offset > buf_size){
38
- av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n");
39
+ if(offset < 0 || offset > buf_size || size < 0){
40
+ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");