vlc | branch: master | Zinuo Han <[email protected]> | Tue Mar 5 12:34:18 2019 +0100| [824ffaaeebe9751fd62ad461145600457f28fe71] | committer: Hugo Beauzée-Luyssen
spudec: Fix potential integer underflow https://hackerone.com/reports/504668 Signed-off-by: Hugo Beauzée-Luyssen <[email protected]> > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=824ffaaeebe9751fd62ad461145600457f28fe71 --- modules/codec/spudec/parse.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/codec/spudec/parse.c b/modules/codec/spudec/parse.c index a5f23baa7d..80d224ad65 100644 --- a/modules/codec/spudec/parse.c +++ b/modules/codec/spudec/parse.c @@ -325,6 +325,11 @@ static int ParseControlSeq( decoder_t *p_dec, subpicture_t *p_spu, p_spu_properties->i_height = (((p_sys->buffer[i_index+5]&0x0f)<<8)| p_sys->buffer[i_index+6]) - p_spu_properties->i_y + 1; + if (p_spu_properties->i_width < 0 || p_spu_properties->i_height < 0) { + msg_Err( p_dec, "integer overflow in SPU command" ); + return VLC_EGENERIC; + } + /* Auto crop fullscreen subtitles */ if( p_spu_properties->i_height > 250 ) p_spu_data->b_auto_crop = true; _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
