rv34: Check for invalid slices offsets

Signed-off-by: Martin Storsjö <martin@martin.st>

rv34: Check for invalid slices offsets
Signed-off-by: Martin Storsjö <martin@martin.st>
fe476e5a · Laurent Aimar · Martin Storsjö · 775af761 · fe476e5a
Commit fe476e5a authored Sep 21, 2011 by Laurent Aimar Committed by Martin Storsjö Sep 22, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 1 deletion

rv34.c libavcodec/rv34.c +10 -1

No files found.
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1513,13 +1513,18 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
        else
            size = get_slice_offset(avctx, slices_hdr, i+1) - offset;
-        if(offset < 0 || offset > buf_size || size < 0){
+        if(offset < 0 || offset > buf_size){
            av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
            break;
        }
        r->si.end = s->mb_width * s->mb_height;
        if(i+1 < slice_count){
+            if (get_slice_offset(avctx, slices_hdr, i+1) < 0 ||
+                get_slice_offset(avctx, slices_hdr, i+1) > buf_size) {
+                av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
+                break;
+            }
            init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8);
            if(r->parse_slice_header(r, &r->s.gb, &si) < 0){
                if(i+2 < slice_count)
@@ -1529,6 +1534,10 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
            }else
                r->si.end = si.start;
        }
+        if (size < 0 || size > buf_size - offset) {
+            av_log(avctx, AV_LOG_ERROR, "Slice size is invalid\n");
+            break;
+        }
        last = rv34_decode_slice(r, r->si.end, buf + offset, size);
        s->mb_num_left = r->s.mb_x + r->s.mb_y*r->s.mb_width - r->si.start;
        if(last)