Module: libav Branch: release/11 Commit: 6a605af7881cd10bd204f99f8c1bf7f7fdbd8d6b
Author: Luca Barbato <[email protected]> Committer: Luca Barbato <[email protected]> Date: Wed Nov 11 20:08:29 2015 +0100 dvdsubdec: Validate the RLE offsets CC: [email protected] --- libavcodec/dvdsubdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 15abac0..a4d0d6f 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -178,13 +178,14 @@ static void guess_palette(DVDSubContext* ctx, static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, const uint8_t *buf, int buf_size) { - int cmd_pos, pos, cmd, x1, y1, x2, y2, offset1, offset2, next_cmd_pos; + int cmd_pos, pos, cmd, x1, y1, x2, y2, next_cmd_pos; int big_offsets, offset_size, is_8bit = 0; const uint8_t *yuv_palette = 0; uint8_t colormap[4] = { 0 }, alpha[256] = { 0 }; int date; int i; int is_menu = 0; + int64_t offset1, offset2; if (buf_size < 10) return -1; @@ -302,6 +303,9 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, } } the_end: + if (offset1 >= buf_size || offset2 >= buf_size) + goto fail; + if (offset1 >= 0) { int w, h; uint8_t *bitmap; _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
