From 1d3a9e63e0dcbcba633d939cdfb79e977259be13 Mon Sep 17 00:00:00 2001
From: Janne Grunau <janne-libav@jannau.net>
Date: Mon, 23 Jan 2012 20:57:04 +0100
Subject: rv10: verify slice offsets against buffer size

Found by John Villamil <johnv@matasano.com> in fuzzed rv20 in mkv files.
---
 libavcodec/rv10.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'libavcodec/rv10.c')

diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index 1d78c92c46..9f2fe77af7 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -647,9 +647,12 @@ static int rv10_decode_frame(AVCodecContext *avctx,
         slice_count = avctx->slice_count;
 
     for(i=0; i<slice_count; i++){
-        int offset= get_slice_offset(avctx, slices_hdr, i);
+        unsigned offset = get_slice_offset(avctx, slices_hdr, i);
         int size, size2;
 
+        if (offset >= buf_size)
+            return AVERROR_INVALIDDATA;
+
         if(i+1 == slice_count)
             size= buf_size - offset;
         else
@@ -660,6 +663,10 @@ static int rv10_decode_frame(AVCodecContext *avctx,
         else
             size2= get_slice_offset(avctx, slices_hdr, i+2) - offset;
 
+        if (size <= 0 || size2 <= 0 ||
+            offset + FFMAX(size, size2) > buf_size)
+            return AVERROR_INVALIDDATA;
+
         if(rv10_decode_packet(avctx, buf+offset, size, size2) > 8*size)
             i++;
     }
-- 
cgit v1.2.3