From 2b73cddd40bdfd7e3c21b2fe8cbfca0277d1f786 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Dec 2011 21:06:05 +0100 Subject: [PATCH] proresdec: Check yuv slice data sizes. Fixes overread Fixes Ticket812 Bug found by: Oana Stratulat Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index 82848a46e7..18decae116 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -443,7 +443,8 @@ static int decode_slice_thread(AVCodecContext *avctx, void *arg, int jobnr, int v_data_size = slice->data_size - y_data_size - u_data_size - hdr_size; if (hdr_size > 7) v_data_size = AV_RB16(buf + 6); - if (y_data_size < 0 || u_data_size < 0 || v_data_size < 0) { + if (y_data_size < 0 || u_data_size < 0 || v_data_size < 0 + || hdr_size+y_data_size+u_data_size+v_data_size > slice->data_size){ av_log(avctx, AV_LOG_ERROR, "invalid plane data size\n"); return -1; }