Fixes: integer overflow No testcase
Found-by: 김승호 <kimsh...@naver.com> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavcodec/encode.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/encode.c b/libavcodec/encode.c index 72dfa8867ab..6a7781336f2 100644 --- a/libavcodec/encode.c +++ b/libavcodec/encode.c @@ -197,6 +197,12 @@ int avcodec_encode_subtitle(AVCodecContext *avctx, uint8_t *buf, int buf_size, return -1; } + for (int i = 0; i<sub->num_rects; i++) + if (sub->rects[i]->nb_colors > 256) { + av_log(avctx, AV_LOG_ERROR, "nb_colors %d in rect %d is too large\n", sub->rects[i]->nb_colors, i); + return AVERROR_PATCHWELCOME; + } + ret = ffcodec(avctx->codec)->cb.encode_sub(avctx, buf, buf_size, sub); avctx->frame_num++; return ret; -- 2.49.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".