Check RV30/40 slice offsets to be inside buffer.

This fixes issue 738 Originally committed as revision 15981 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Kostya Shishkov <kostya.shishkov@gmail.com> 2008-12-02 17:39:20 +0000
committer: Kostya Shishkov <kostya.shishkov@gmail.com> 2008-12-02 17:39:20 +0000
commit: 1799d5223eba3eb8f5ae1f1db71674af9dabcb6a (patch)
tree: 60396956fd01ccc8ce1c2e2e8b0d8f534d4cbc02
parent: a1c1c7801918c46da5525cfddb99f3467c522b02 (diff)
download: ffmpeg-1799d5223eba3eb8f5ae1f1db71674af9dabcb6a.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index 297a1a7635..ec80035ac8 100644
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1389,6 +1389,11 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
         else
             size= get_slice_offset(avctx, slices_hdr, i+1) - offset;
 
+        if(offset > buf_size){
+            av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n");
+            break;
+        }
+
         r->si.end = s->mb_width * s->mb_height;
         if(i+1 < slice_count){
             init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8);
author	Kostya Shishkov <kostya.shishkov@gmail.com>	2008-12-02 17:39:20 +0000
committer	Kostya Shishkov <kostya.shishkov@gmail.com>	2008-12-02 17:39:20 +0000
commit	1799d5223eba3eb8f5ae1f1db71674af9dabcb6a (patch)
tree	60396956fd01ccc8ce1c2e2e8b0d8f534d4cbc02
parent	a1c1c7801918c46da5525cfddb99f3467c522b02 (diff)
download	ffmpeg-1799d5223eba3eb8f5ae1f1db71674af9dabcb6a.tar.gz