proresdec: Check yuv slice data sizes.

Fixes overread Fixes Ticket812 Bug found by: Oana Stratulat Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 2b73cddd40bdfd7e3c21b2fe8cbfca0277d1f786) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2011-12-21 21:06:05 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-01-03 21:51:53 +0100
commit: 1c930fe91544a4aae009a4c4b8d638c6a1aee9f4 (patch)
tree: b34650aacecb6a42c099bc0180dd92d26d981627
parent: a25c7081abac3a92c0fc348f449a9244d866aacd (diff)
download: ffmpeg-1c930fe91544a4aae009a4c4b8d638c6a1aee9f4.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c
index 03bb109f46..2d4ff04df9 100644
--- a/libavcodec/proresdec2.c
+++ b/libavcodec/proresdec2.c
@@ -443,7 +443,8 @@ static int decode_slice_thread(AVCodecContext *avctx, void *arg, int jobnr, int
     v_data_size = slice->data_size - y_data_size - u_data_size - hdr_size;
     if (hdr_size > 7) v_data_size = AV_RB16(buf + 6);
 
-    if (y_data_size < 0 || u_data_size < 0 || v_data_size < 0) {
+    if (y_data_size < 0 || u_data_size < 0 || v_data_size < 0
+        || hdr_size+y_data_size+u_data_size+v_data_size > slice->data_size){
         av_log(avctx, AV_LOG_ERROR, "invalid plane data size\n");
         return -1;
     }
author	Michael Niedermayer <michaelni@gmx.at>	2011-12-21 21:06:05 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-01-03 21:51:53 +0100
commit	1c930fe91544a4aae009a4c4b8d638c6a1aee9f4 (patch)
tree	b34650aacecb6a42c099bc0180dd92d26d981627
parent	a25c7081abac3a92c0fc348f449a9244d866aacd (diff)
download	ffmpeg-1c930fe91544a4aae009a4c4b8d638c6a1aee9f4.tar.gz