Mercurial > libavcodec.hg
comparison rv34.c @ 8243:d5949e5d36f3 libavcodec
Check RV30/40 slice offsets to be inside buffer.
This fixes issue 738
| author | kostya |
|---|---|
| date | Tue, 02 Dec 2008 17:39:20 +0000 |
| parents | 91a340f25c8c |
| children | 3f3d653fb46d |
comparison
equal
deleted
inserted
replaced
| 8242:91a340f25c8c | 8243:d5949e5d36f3 |
|---|---|
| 1387 if(i+1 == slice_count) | 1387 if(i+1 == slice_count) |
| 1388 size= buf_size - offset; | 1388 size= buf_size - offset; |
| 1389 else | 1389 else |
| 1390 size= get_slice_offset(avctx, slices_hdr, i+1) - offset; | 1390 size= get_slice_offset(avctx, slices_hdr, i+1) - offset; |
| 1391 | 1391 |
| 1392 if(offset > buf_size){ | |
| 1393 av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); | |
| 1394 break; | |
| 1395 } | |
| 1396 | |
| 1392 r->si.end = s->mb_width * s->mb_height; | 1397 r->si.end = s->mb_width * s->mb_height; |
| 1393 if(i+1 < slice_count){ | 1398 if(i+1 < slice_count){ |
| 1394 init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8); | 1399 init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8); |
| 1395 if(r->parse_slice_header(r, &r->s.gb, &si) < 0){ | 1400 if(r->parse_slice_header(r, &r->s.gb, &si) < 0){ |
| 1396 if(i+2 < slice_count) | 1401 if(i+2 < slice_count) |