vlc/vlc-3.0 | branch: master | Hugo Beauzée-Luyssen <[email protected]> | Thu Feb 28 14:54:44 2019 +0100| [e1db0dcfffd2fde3b2dcec5b42690f7098bfd310] | committer: Hugo Beauzée-Luyssen
textst: Fix potential buffer overflow https://hackerone.com/reports/503242 (cherry picked from commit 6f8e90c21c102dc4653d4f0adc6cffc53fcddba1) Signed-off-by: Hugo Beauzée-Luyssen <[email protected]> > http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=e1db0dcfffd2fde3b2dcec5b42690f7098bfd310 --- modules/codec/textst.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/codec/textst.c b/modules/codec/textst.c index c5c414f1cb..d3949ced7d 100644 --- a/modules/codec/textst.c +++ b/modules/codec/textst.c @@ -73,6 +73,8 @@ static size_t textst_FillRegion(decoder_t *p_dec, const uint8_t *p_data, size_t /* forced_on_flag b1 */ /* ? b6 */ + assert( i_data >= 4 ); + //uint8_t region_style_id_ref = p_data[1]; uint16_t i_data_length = GetWBE(&p_data[2]); @@ -206,7 +208,7 @@ static void textst_FillRegions(decoder_t *p_dec, const uint8_t *p_data, size_t i uint8_t i_region_count = p_data[0]; p_data++; i_data--; - for(uint8_t i=0; i<i_region_count && i_data > 0; i++) + for(uint8_t i=0; i<i_region_count && i_data > 4; i++) { if(*pp_last == NULL) { _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
