[libav-devel] [PATCH 05/11] rv10: improve buffer size check.

Anton Khirnov Wed, 06 Feb 2013 01:49:56 -0800

Check slice count and input buffer size before constructing a possibly
invalid pointer, not after.
---
 libavcodec/rv10.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)


diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index 8cce6cf..38abf78 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -659,11 +659,15 @@ static int rv10_decode_frame(AVCodecContext *avctx,
     if(!avctx->slice_count){
         slice_count = (*buf++) + 1;
         buf_size--;
+
+        if (!slice_count || buf_size <= 8 * slice_count) {
+            av_log(avctx, AV_LOG_ERROR, "Invalid slice count: %d.\n", 
slice_count);
+            return AVERROR_INVALIDDATA;
+        }
+
         slices_hdr = buf + 4;
         buf += 8 * slice_count;
         buf_size -= 8 * slice_count;
-        if (buf_size <= 0)
-            return AVERROR_INVALIDDATA;
     }else
         slice_count = avctx->slice_count;
 
-- 
1.7.10.4

_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH 05/11] rv10: improve buffer size check.

Reply via email to