[libav-devel] [PATCH] pgssubdec: check RLE size before copying. Fix out of array accesses

siretart Wed, 30 Jul 2014 18:32:30 -0700

From: Michael Niedermayer <[email protected]>

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <[email protected]>
Addresses: CVE-2013-0852


Conflicts:
        libavcodec/pgssubdec.c
---
 libavcodec/pgssubdec.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
index 1cafd9f..d5185ee 100644
--- a/libavcodec/pgssubdec.c
+++ b/libavcodec/pgssubdec.c
@@ -285,6 +285,11 @@ static int parse_object_segment(AVCodecContext *avctx,
         return AVERROR_INVALIDDATA;
     }
 
+    if (buf_size > rle_bitmap_len) {
+        av_log(avctx, AV_LOG_ERROR, "too much RLE data\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     object->w = width;
     object->h = height;
 
-- 
1.9.1

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH] pgssubdec: check RLE size before copying. Fix out of array accesses

Reply via email to