From: Janne Grunau <janne-libav@jannau.net>
Date: Mon, 23 Jan 2012 19:57:04 +0000 (+0100)
Subject: rv10: verify slice offsets against buffer size
X-Git-Tag: v9_beta1~3407
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=1d3a9e63e0dcbcba633d939cdfb79e977259be13;p=platform%2Fupstream%2Flibav.git

rv10: verify slice offsets against buffer size

Found by John Villamil <johnv@matasano.com> in fuzzed rv20 in mkv files.
---

diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index 1d78c92..9f2fe77 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -647,9 +647,12 @@ static int rv10_decode_frame(AVCodecContext *avctx,
         slice_count = avctx->slice_count;
 
     for(i=0; i<slice_count; i++){
-        int offset= get_slice_offset(avctx, slices_hdr, i);
+        unsigned offset = get_slice_offset(avctx, slices_hdr, i);
         int size, size2;
 
+        if (offset >= buf_size)
+            return AVERROR_INVALIDDATA;
+
         if(i+1 == slice_count)
             size= buf_size - offset;
         else
@@ -660,6 +663,10 @@ static int rv10_decode_frame(AVCodecContext *avctx,
         else
             size2= get_slice_offset(avctx, slices_hdr, i+2) - offset;
 
+        if (size <= 0 || size2 <= 0 ||
+            offset + FFMAX(size, size2) > buf_size)
+            return AVERROR_INVALIDDATA;
+
         if(rv10_decode_packet(avctx, buf+offset, size, size2) > 8*size)
             i++;
     }