rv10: verify slice offsets against buffer size

Found by John Villamil <johnv@matasano.com> in fuzzed rv20 in mkv files.

diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index 1d78c92..9f2fe77 100644 (file)
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -647,9 +647,12 @@ static int rv10_decode_frame(AVCodecContext *avctx,
         slice_count = avctx->slice_count;
 
     for(i=0; i<slice_count; i++){
-        int offset= get_slice_offset(avctx, slices_hdr, i);
+        unsigned offset = get_slice_offset(avctx, slices_hdr, i);
         int size, size2;
 
+        if (offset >= buf_size)
+            return AVERROR_INVALIDDATA;
+
         if(i+1 == slice_count)
             size= buf_size - offset;
         else
@@ -660,6 +663,10 @@ static int rv10_decode_frame(AVCodecContext *avctx,
         else
             size2= get_slice_offset(avctx, slices_hdr, i+2) - offset;
 
+        if (size <= 0 || size2 <= 0 ||
+            offset + FFMAX(size, size2) > buf_size)
+            return AVERROR_INVALIDDATA;
+
         if(rv10_decode_packet(avctx, buf+offset, size, size2) > 8*size)
             i++;
     }