Comment 6 for bug 690169

I stumbled upon this bug again when fuzzing RealPlayer (.rm) files, but this time, it seems to cause heap corruption in ffmpeg and ffplay (both 0.5.1 and 0.5.3).

I'm attaching four files here. If any of these turn out to be independent issues, this may require the allocation of more CVEs, but I figured the root cause of each issue should be determined first. The files are as follows:

1. sample.rm - the original unaltered file, which obviously does not crash ffmpeg or vlc

2. pred4x4_128_dc_c.rm - a fuzzed file that causes heap corruption in ffmpeg and crashes vlc with an out-of-bounds write in pred4x4_128_dc_c()

3. put_dc.rm - a fuzzed file that causes heap corruption in ffmpeg and crashes vlc with an out-of-bounds write in put_dc(), which is the same crash location as the previously attached WMV file.

4. heap.rm - causes heap corruption in ffmpeg

It's likely that pred4x4_128_dc_c.rm and put_dc.rm are caused by the same underlying problem, since they differ by a single byte that results in the crash occurring at a different place. I haven't determined whether or not heap.rm is the same issue. Hopefully these files help get to the bottom of the issue(s).