[FFmpeg-cvslog] rv34: Check for invalid slices offsets

Laurent Aimar git at videolan.org
Mon Mar 19 05:30:22 CET 2012


ffmpeg | branch: release/0.8 | Laurent Aimar <fenrir at videolan.org> | Wed Sep 21 20:46:31 2011 +0200| [000bd5209f91bbdaf08a29271b6b5bd8c6058c3e] | committer: Reinhard Tartler

rv34: Check for invalid slices offsets

Signed-off-by: Martin Storsjö <martin at martin.st>
(cherry picked from commit fe476e5a9b5a1e56e53f1fa62374778fa00ec1fd)

Signed-off-by: Anton Khirnov <anton at khirnov.net>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=000bd5209f91bbdaf08a29271b6b5bd8c6058c3e
---

 libavcodec/rv34.c |   11 ++++++++++-
 1 files changed, 10 insertions(+), 1 deletions(-)

diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index 70c35ef..cc1cae2 100644
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1466,13 +1466,18 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
         else
             size= get_slice_offset(avctx, slices_hdr, i+1) - offset;
 
-        if(offset < 0 || offset > buf_size || size < 0){
+        if(offset < 0 || offset > buf_size){
             av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
             break;
         }
 
         r->si.end = s->mb_width * s->mb_height;
         if(i+1 < slice_count){
+            if (get_slice_offset(avctx, slices_hdr, i+1) < 0 ||
+                get_slice_offset(avctx, slices_hdr, i+1) > buf_size) {
+                av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
+                break;
+            }
             init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8);
             if(r->parse_slice_header(r, &r->s.gb, &si) < 0){
                 if(i+2 < slice_count)
@@ -1482,6 +1487,10 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
             }else
                 r->si.end = si.start;
         }
+        if (size < 0 || size > buf_size - offset) {
+            av_log(avctx, AV_LOG_ERROR, "Slice size is invalid\n");
+            break;
+        }
         last = rv34_decode_slice(r, r->si.end, buf + offset, size);
         s->mb_num_left = r->s.mb_x + r->s.mb_y*r->s.mb_width - r->si.start;
         if(last)



More information about the ffmpeg-cvslog mailing list