rv30: fix extradata size check.

It has been checking the number of bits in the offset instead of the
actual offset.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit a6a2282c25abe43e352010a7c3fbc92994c0bc1c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

1 files changed, 9 insertions, 5 deletions

diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c
index b61b75dd77..ffd4d9666a 100644
--- a/libavcodec/rv30.c
+++ b/libavcodec/rv30.c
@@ -35,6 +35,7 @@
 
 static int rv30_parse_slice_header(RV34DecContext *r, GetBitContext *gb, SliceInfo *si)
 {
+    AVCodecContext *avctx = r->s.avctx;
     int mb_bits;
     int w = r->s.width, h = r->s.height;
     int mb_size;
@@ -52,6 +53,13 @@ static int rv30_parse_slice_header(RV34DecContext *r, GetBitContext *gb, SliceIn
     si->pts = get_bits(gb, 13);
     rpr = get_bits(gb, r->rpr);
     if(rpr){
+        if (avctx->extradata_size < rpr * 2 + 8) {
+            av_log(avctx, AV_LOG_ERROR,
+                   "Insufficient extradata - need at least %d bytes, got %d\n",
+                   8 + rpr * 2, avctx->extradata_size);
+            return AVERROR(EINVAL);
+        }
+
         w = r->s.avctx->extradata[6 + rpr*2] << 2;
         h = r->s.avctx->extradata[7 + rpr*2] << 2;
     }
@@ -255,11 +263,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx)
     }
     r->rpr = (avctx->extradata[1] & 7) >> 1;
     r->rpr = FFMIN(r->rpr + 1, 3);
-    if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){
-        av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n",
-               6 + r->rpr * 2, avctx->extradata_size);
-        return AVERROR(EINVAL);
-    }
+
     r->parse_slice_header = rv30_parse_slice_header;
     r->decode_intra_types = rv30_decode_intra_types;
     r->decode_mb_info     = rv30_decode_mb_info;