Re: [libav-devel] [PATCH] pgssubdec: check RLE size before copying. Fix out of array accesses

Luca Barbato Thu, 31 Jul 2014 02:11:35 -0700

On 31/07/14 03:31, [email protected] wrote:
> From: Michael Niedermayer <[email protected]>
> 
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> Signed-off-by: Michael Niedermayer <[email protected]>
> Addresses: CVE-2013-0852


Bug-Id: please

> 
> Conflicts:
>       libavcodec/pgssubdec.c

Drop this

> ---
>  libavcodec/pgssubdec.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
> index 1cafd9f..d5185ee 100644
> --- a/libavcodec/pgssubdec.c
> +++ b/libavcodec/pgssubdec.c
> @@ -285,6 +285,11 @@ static int parse_object_segment(AVCodecContext *avctx,
>          return AVERROR_INVALIDDATA;
>      }
>  
> +    if (buf_size > rle_bitmap_len) {
> +        av_log(avctx, AV_LOG_ERROR, "too much RLE data\n");
> +        return AVERROR_INVALIDDATA;
> +    }

should go where the rle_bitmap_len is parsed.

> +
>      object->w = width;
>      object->h = height;
>  
> 

I'll amend the patch myself.

lu

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Re: [libav-devel] [PATCH] pgssubdec: check RLE size before copying. Fix out of array accesses

Reply via email to