[FFmpeg-cvslog] rv30: fix extradata size check.
Anton Khirnov
git at videolan.org
Sun Jan 12 15:52:50 CET 2014
ffmpeg | branch: release/1.1 | Anton Khirnov <anton at khirnov.net> | Thu Nov 28 10:54:35 2013 +0100| [343c87ac19c8db3f102d21a928c0e07980c056cc] | committer: Reinhard Tartler
rv30: fix extradata size check.
It has been checking the number of bits in the offset instead of the
actual offset.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable at libav.org
(cherry picked from commit a6a2282c25abe43e352010a7c3fbc92994c0bc1c)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=343c87ac19c8db3f102d21a928c0e07980c056cc
---
libavcodec/rv30.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c
index b61b75d..ffd4d96 100644
--- a/libavcodec/rv30.c
+++ b/libavcodec/rv30.c
@@ -35,6 +35,7 @@
static int rv30_parse_slice_header(RV34DecContext *r, GetBitContext *gb, SliceInfo *si)
{
+ AVCodecContext *avctx = r->s.avctx;
int mb_bits;
int w = r->s.width, h = r->s.height;
int mb_size;
@@ -52,6 +53,13 @@ static int rv30_parse_slice_header(RV34DecContext *r, GetBitContext *gb, SliceIn
si->pts = get_bits(gb, 13);
rpr = get_bits(gb, r->rpr);
if(rpr){
+ if (avctx->extradata_size < rpr * 2 + 8) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Insufficient extradata - need at least %d bytes, got %d\n",
+ 8 + rpr * 2, avctx->extradata_size);
+ return AVERROR(EINVAL);
+ }
+
w = r->s.avctx->extradata[6 + rpr*2] << 2;
h = r->s.avctx->extradata[7 + rpr*2] << 2;
}
@@ -255,11 +263,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx)
}
r->rpr = (avctx->extradata[1] & 7) >> 1;
r->rpr = FFMIN(r->rpr + 1, 3);
- if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){
- av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n",
- 6 + r->rpr * 2, avctx->extradata_size);
- return AVERROR(EINVAL);
- }
+
r->parse_slice_header = rv30_parse_slice_header;
r->decode_intra_types = rv30_decode_intra_types;
r->decode_mb_info = rv30_decode_mb_info;
More information about the ffmpeg-cvslog
mailing list