mirror of https://git.ffmpeg.org/ffmpeg.git
rv10: verify slice offsets against buffer size
Found by John Villamil <johnv@matasano.com> in fuzzed rv20 in mkv files.
This commit is contained in:
parent
0fec2cb15c
commit
1d3a9e63e0
|
@ -647,9 +647,12 @@ static int rv10_decode_frame(AVCodecContext *avctx,
|
||||||
slice_count = avctx->slice_count;
|
slice_count = avctx->slice_count;
|
||||||
|
|
||||||
for(i=0; i<slice_count; i++){
|
for(i=0; i<slice_count; i++){
|
||||||
int offset= get_slice_offset(avctx, slices_hdr, i);
|
unsigned offset = get_slice_offset(avctx, slices_hdr, i);
|
||||||
int size, size2;
|
int size, size2;
|
||||||
|
|
||||||
|
if (offset >= buf_size)
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
|
||||||
if(i+1 == slice_count)
|
if(i+1 == slice_count)
|
||||||
size= buf_size - offset;
|
size= buf_size - offset;
|
||||||
else
|
else
|
||||||
|
@ -660,6 +663,10 @@ static int rv10_decode_frame(AVCodecContext *avctx,
|
||||||
else
|
else
|
||||||
size2= get_slice_offset(avctx, slices_hdr, i+2) - offset;
|
size2= get_slice_offset(avctx, slices_hdr, i+2) - offset;
|
||||||
|
|
||||||
|
if (size <= 0 || size2 <= 0 ||
|
||||||
|
offset + FFMAX(size, size2) > buf_size)
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
|
||||||
if(rv10_decode_packet(avctx, buf+offset, size, size2) > 8*size)
|
if(rv10_decode_packet(avctx, buf+offset, size, size2) > 8*size)
|
||||||
i++;
|
i++;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue