rv10: improve buffer size check.
Check slice count and input buffer size before constructing a possibly invalid pointer, not after.
This commit is contained in:
parent
c5fcdb4402
commit
605b047bcc
@ -659,11 +659,15 @@ static int rv10_decode_frame(AVCodecContext *avctx,
|
|||||||
if(!avctx->slice_count){
|
if(!avctx->slice_count){
|
||||||
slice_count = (*buf++) + 1;
|
slice_count = (*buf++) + 1;
|
||||||
buf_size--;
|
buf_size--;
|
||||||
|
|
||||||
|
if (!slice_count || buf_size <= 8 * slice_count) {
|
||||||
|
av_log(avctx, AV_LOG_ERROR, "Invalid slice count: %d.\n", slice_count);
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
}
|
||||||
|
|
||||||
slices_hdr = buf + 4;
|
slices_hdr = buf + 4;
|
||||||
buf += 8 * slice_count;
|
buf += 8 * slice_count;
|
||||||
buf_size -= 8 * slice_count;
|
buf_size -= 8 * slice_count;
|
||||||
if (buf_size <= 0)
|
|
||||||
return AVERROR_INVALIDDATA;
|
|
||||||
}else
|
}else
|
||||||
slice_count = avctx->slice_count;
|
slice_count = avctx->slice_count;
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user