diff options
| author | Janne Grunau <janne-libav@jannau.net> | 2012-01-23 20:57:04 +0100 |
|---|---|---|
| committer | Janne Grunau <janne-libav@jannau.net> | 2012-01-24 02:16:02 +0100 |
| commit | 1d3a9e63e0dcbcba633d939cdfb79e977259be13 (patch) | |
| tree | ea64d0efcb1f4023263fbadda2e0c245c54abc41 | |
| parent | 0fec2cb15cc6ff1fcc724c774ec36abadcb7b6ad (diff) | |
| download | ffmpeg-1d3a9e63e0dcbcba633d939cdfb79e977259be13.tar.gz | |
rv10: verify slice offsets against buffer size
Found by John Villamil <johnv@matasano.com> in fuzzed rv20 in mkv files.
| -rw-r--r-- | libavcodec/rv10.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 1d78c92c46..9f2fe77af7 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -647,9 +647,12 @@ static int rv10_decode_frame(AVCodecContext *avctx, slice_count = avctx->slice_count; for(i=0; i<slice_count; i++){ - int offset= get_slice_offset(avctx, slices_hdr, i); + unsigned offset = get_slice_offset(avctx, slices_hdr, i); int size, size2; + if (offset >= buf_size) + return AVERROR_INVALIDDATA; + if(i+1 == slice_count) size= buf_size - offset; else @@ -660,6 +663,10 @@ static int rv10_decode_frame(AVCodecContext *avctx, else size2= get_slice_offset(avctx, slices_hdr, i+2) - offset; + if (size <= 0 || size2 <= 0 || + offset + FFMAX(size, size2) > buf_size) + return AVERROR_INVALIDDATA; + if(rv10_decode_packet(avctx, buf+offset, size, size2) > 8*size) i++; } |