slice_count = avctx->slice_count;
for(i=0; i<slice_count; i++){
- int offset= get_slice_offset(avctx, slices_hdr, i);
+ unsigned offset = get_slice_offset(avctx, slices_hdr, i);
int size, size2;
+ if (offset >= buf_size)
+ return AVERROR_INVALIDDATA;
+
if(i+1 == slice_count)
size= buf_size - offset;
else
else
size2= get_slice_offset(avctx, slices_hdr, i+2) - offset;
+ if (size <= 0 || size2 <= 0 ||
+ offset + FFMAX(size, size2) > buf_size)
+ return AVERROR_INVALIDDATA;
+
if(rv10_decode_packet(avctx, buf+offset, size, size2) > 8*size)
i++;
}