[FFmpeg-cvslog] rv30: fix extradata size check.

Anton Khirnov git at videolan.org
Sat Jan 4 00:47:20 CET 2014


ffmpeg | branch: master | Anton Khirnov <anton at khirnov.net> | Thu Nov 28 10:54:35 2013 +0100| [a6a2282c25abe43e352010a7c3fbc92994c0bc1c] | committer: Anton Khirnov

rv30: fix extradata size check.

It has been checking the number of bits in the offset instead of the
actual offset.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable at libav.org

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a6a2282c25abe43e352010a7c3fbc92994c0bc1c
---

 libavcodec/rv30.c |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c
index ffb433b..82ad7d4 100644
--- a/libavcodec/rv30.c
+++ b/libavcodec/rv30.c
@@ -34,6 +34,7 @@
 
 static int rv30_parse_slice_header(RV34DecContext *r, GetBitContext *gb, SliceInfo *si)
 {
+    AVCodecContext *avctx = r->s.avctx;
     int mb_bits;
     int w = r->s.width, h = r->s.height;
     int mb_size;
@@ -51,6 +52,13 @@ static int rv30_parse_slice_header(RV34DecContext *r, GetBitContext *gb, SliceIn
     si->pts = get_bits(gb, 13);
     rpr = get_bits(gb, r->rpr);
     if(rpr){
+        if (avctx->extradata_size < rpr * 2 + 8) {
+            av_log(avctx, AV_LOG_ERROR,
+                   "Insufficient extradata - need at least %d bytes, got %d\n",
+                   8 + rpr * 2, avctx->extradata_size);
+            return AVERROR(EINVAL);
+        }
+
         w = r->s.avctx->extradata[6 + rpr*2] << 2;
         h = r->s.avctx->extradata[7 + rpr*2] << 2;
     }
@@ -254,11 +262,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx)
     }
     r->rpr = (avctx->extradata[1] & 7) >> 1;
     r->rpr = FFMIN(r->rpr + 1, 3);
-    if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){
-        av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n",
-               6 + r->rpr * 2, avctx->extradata_size);
-        return AVERROR(EINVAL);
-    }
+
     r->parse_slice_header = rv30_parse_slice_header;
     r->decode_intra_types = rv30_decode_intra_types;
     r->decode_mb_info     = rv30_decode_mb_info;



More information about the ffmpeg-cvslog mailing list