rv10: verify slice offsets against buffer size

Found by John Villamil <johnv@matasano.com> in fuzzed rv20 in mkv files.

rv10: verify slice offsets against buffer size
Found by John Villamil <johnv@matasano.com> in fuzzed rv20 in mkv files.
1d3a9e63 · Janne Grunau · 0fec2cb1 · 1d3a9e63
Commit 1d3a9e63 authored Jan 23, 2012 by Janne Grunau
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 1 deletion

rv10.c libavcodec/rv10.c +8 -1

No files found.
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -647,9 +647,12 @@ static int rv10_decode_frame(AVCodecContext *avctx,
        slice_count = avctx->slice_count;

    for(i=0; i<slice_count; i++){
-        int offset= get_slice_offset(avctx, slices_hdr, i);
+        unsigned offset = get_slice_offset(avctx, slices_hdr, i);
        int size, size2;

+        if (offset >= buf_size)
+            return AVERROR_INVALIDDATA;
+
        if(i+1 == slice_count)
            size= buf_size - offset;
        else
@@ -660,6 +663,10 @@ static int rv10_decode_frame(AVCodecContext *avctx,
        else
            size2= get_slice_offset(avctx, slices_hdr, i+2) - offset;

+        if (size <= 0 || size2 <= 0 ||
+            offset + FFMAX(size, size2) > buf_size)
+            return AVERROR_INVALIDDATA;
+
        if(rv10_decode_packet(avctx, buf+offset, size, size2) > 8*size)
            i++;
    }