rv10: improve buffer size check.

Check slice count and input buffer size before constructing a possibly invalid pointer, not after.
author: Anton Khirnov <anton@khirnov.net> 2013-02-03 08:42:02 +0100
committer: Anton Khirnov <anton@khirnov.net> 2013-02-06 21:47:57 +0100
commit: 605b047bcc48482dc8a356f56629da259fbddbf1 (patch)
tree: 77d7146f0aed3b19b47f6bbf9daa875de7f212fd /libavcodec/rv10.c
parent: c5fcdb440237f06f6c954185ab60970cabf786a2 (diff)
download: ffmpeg-605b047bcc48482dc8a356f56629da259fbddbf1.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index 8cce6cf699..38abf7841a 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -659,11 +659,15 @@ static int rv10_decode_frame(AVCodecContext *avctx,
     if(!avctx->slice_count){
         slice_count = (*buf++) + 1;
         buf_size--;
+
+        if (!slice_count || buf_size <= 8 * slice_count) {
+            av_log(avctx, AV_LOG_ERROR, "Invalid slice count: %d.\n", slice_count);
+            return AVERROR_INVALIDDATA;
+        }
+
         slices_hdr = buf + 4;
         buf += 8 * slice_count;
         buf_size -= 8 * slice_count;
-        if (buf_size <= 0)
-            return AVERROR_INVALIDDATA;
     }else
         slice_count = avctx->slice_count;
author	Anton Khirnov <anton@khirnov.net>	2013-02-03 08:42:02 +0100
committer	Anton Khirnov <anton@khirnov.net>	2013-02-06 21:47:57 +0100
commit	605b047bcc48482dc8a356f56629da259fbddbf1 (patch)
tree	77d7146f0aed3b19b47f6bbf9daa875de7f212fd /libavcodec/rv10.c
parent	c5fcdb440237f06f6c954185ab60970cabf786a2 (diff)
download	ffmpeg-605b047bcc48482dc8a356f56629da259fbddbf1.tar.gz