Mercurial > libavcodec.hg
comparison rv34.c @ 8243:d5949e5d36f3 libavcodec
Check RV30/40 slice offsets to be inside buffer.
This fixes issue 738
author | kostya |
---|---|
date | Tue, 02 Dec 2008 17:39:20 +0000 |
parents | 91a340f25c8c |
children | 3f3d653fb46d |
comparison
equal
deleted
inserted
replaced
8242:91a340f25c8c | 8243:d5949e5d36f3 |
---|---|
1387 if(i+1 == slice_count) | 1387 if(i+1 == slice_count) |
1388 size= buf_size - offset; | 1388 size= buf_size - offset; |
1389 else | 1389 else |
1390 size= get_slice_offset(avctx, slices_hdr, i+1) - offset; | 1390 size= get_slice_offset(avctx, slices_hdr, i+1) - offset; |
1391 | 1391 |
1392 if(offset > buf_size){ | |
1393 av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); | |
1394 break; | |
1395 } | |
1396 | |
1392 r->si.end = s->mb_width * s->mb_height; | 1397 r->si.end = s->mb_width * s->mb_height; |
1393 if(i+1 < slice_count){ | 1398 if(i+1 < slice_count){ |
1394 init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8); | 1399 init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8); |
1395 if(r->parse_slice_header(r, &r->s.gb, &si) < 0){ | 1400 if(r->parse_slice_header(r, &r->s.gb, &si) < 0){ |
1396 if(i+2 < slice_count) | 1401 if(i+2 < slice_count) |