subject:"\[FFmpeg\-cvslog\] avcodec\/dvdsubdec\: fix out of bounds accesses"

[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses

2015-03-13 Thread wm4

ffmpeg | branch: release/1.1 | wm4  | Mon Jan  5 
04:45:26 2015 +0100| [1b9a62c357b1e0045b5c1eb6fb6e5f3cdbd979ce] | committer: 
Michael Niedermayer

avcodec/dvdsubdec: fix out of bounds accesses

The code blindly trusted buffer offsets read from the file in the RLE
decoder. Explicitly check the offset. Also error out on other RLE
decoding errors.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1b9a62c357b1e0045b5c1eb6fb6e5f3cdbd979ce
---

 libavcodec/dvdsubdec.c |   13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index cc9e11b..8beec50 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -98,6 +98,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, 
int h,
 int x, y, len, color;
 uint8_t *d;
 
+if (start >= buf_size)
+return -1;
+
 bit_len = (buf_size - start) * 8;
 init_get_bits(&gb, buf + start, bit_len);
 
@@ -339,10 +342,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, 
AVSubtitle *sub_header,
 sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect));
 sub_header->num_rects = 1;
 sub_header->rects[0]->pict.data[0] = bitmap;
-decode_rle(bitmap, w * 2, w, (h + 1) / 2,
-   buf, offset1, buf_size, is_8bit);
-decode_rle(bitmap + w, w * 2, w, h / 2,
-   buf, offset2, buf_size, is_8bit);
+if (decode_rle(bitmap, w * 2, w, (h + 1) / 2,
+   buf, offset1, buf_size, is_8bit) < 0)
+goto fail;
+if (decode_rle(bitmap + w, w * 2, w, h / 2,
+   buf, offset2, buf_size, is_8bit) < 0)
+goto fail;
 sub_header->rects[0]->pict.data[1] = 
av_mallocz(AVPALETTE_SIZE);
 if (is_8bit) {
 if (yuv_palette == 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses

2015-03-12 Thread wm4

ffmpeg | branch: release/0.10 | wm4  | Mon Jan  5 
04:45:26 2015 +0100| [ce219702c3469e16fd1c70fc750a59b71ae8c8d5] | committer: 
Michael Niedermayer

avcodec/dvdsubdec: fix out of bounds accesses

The code blindly trusted buffer offsets read from the file in the RLE
decoder. Explicitly check the offset. Also error out on other RLE
decoding errors.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ce219702c3469e16fd1c70fc750a59b71ae8c8d5
---

 libavcodec/dvdsubdec.c |   13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index f4b5439..1890cdd 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -94,6 +94,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, 
int h,
 int x, y, len, color;
 uint8_t *d;
 
+if (start >= buf_size)
+return -1;
+
 bit_len = (buf_size - start) * 8;
 init_get_bits(&gb, buf + start, bit_len);
 
@@ -336,10 +339,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, 
AVSubtitle *sub_header,
 sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect));
 sub_header->num_rects = 1;
 sub_header->rects[0]->pict.data[0] = bitmap;
-decode_rle(bitmap, w * 2, w, (h + 1) / 2,
-   buf, offset1, buf_size, is_8bit);
-decode_rle(bitmap + w, w * 2, w, h / 2,
-   buf, offset2, buf_size, is_8bit);
+if (decode_rle(bitmap, w * 2, w, (h + 1) / 2,
+   buf, offset1, buf_size, is_8bit) < 0)
+goto fail;
+if (decode_rle(bitmap + w, w * 2, w, h / 2,
+   buf, offset2, buf_size, is_8bit) < 0)
+goto fail;
 sub_header->rects[0]->pict.data[1] = 
av_mallocz(AVPALETTE_SIZE);
 if (is_8bit) {
 if (yuv_palette == 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses

2015-02-04 Thread wm4

ffmpeg | branch: release/1.2 | wm4  | Mon Jan  5 
04:45:26 2015 +0100| [931f4313b2ec2e47bb34b6906ec53df6d3d45f9a] | committer: 
Michael Niedermayer

avcodec/dvdsubdec: fix out of bounds accesses

The code blindly trusted buffer offsets read from the file in the RLE
decoder. Explicitly check the offset. Also error out on other RLE
decoding errors.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=931f4313b2ec2e47bb34b6906ec53df6d3d45f9a
---

 libavcodec/dvdsubdec.c |   13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index cb268b8..2200633 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -99,6 +99,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, 
int h,
 int x, y, len, color;
 uint8_t *d;
 
+if (start >= buf_size)
+return -1;
+
 bit_len = (buf_size - start) * 8;
 init_get_bits(&gb, buf + start, bit_len);
 
@@ -340,10 +343,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, 
AVSubtitle *sub_header,
 sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect));
 sub_header->num_rects = 1;
 sub_header->rects[0]->pict.data[0] = bitmap;
-decode_rle(bitmap, w * 2, w, (h + 1) / 2,
-   buf, offset1, buf_size, is_8bit);
-decode_rle(bitmap + w, w * 2, w, h / 2,
-   buf, offset2, buf_size, is_8bit);
+if (decode_rle(bitmap, w * 2, w, (h + 1) / 2,
+   buf, offset1, buf_size, is_8bit) < 0)
+goto fail;
+if (decode_rle(bitmap + w, w * 2, w, h / 2,
+   buf, offset2, buf_size, is_8bit) < 0)
+goto fail;
 sub_header->rects[0]->pict.data[1] = 
av_mallocz(AVPALETTE_SIZE);
 if (is_8bit) {
 if (yuv_palette == 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses

2015-01-19 Thread wm4

ffmpeg | branch: release/2.2 | wm4  | Mon Jan  5 
04:45:26 2015 +0100| [0d481efb7b81ab2f0491a854a4fd5d8cfb305680] | committer: 
Michael Niedermayer

avcodec/dvdsubdec: fix out of bounds accesses

The code blindly trusted buffer offsets read from the file in the RLE
decoder. Explicitly check the offset. Also error out on other RLE
decoding errors.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0d481efb7b81ab2f0491a854a4fd5d8cfb305680
---

 libavcodec/dvdsubdec.c |   13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index 637f3e6..0fcf0fb 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -105,6 +105,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, 
int h,
 int x, y, len, color;
 uint8_t *d;
 
+if (start >= buf_size)
+return -1;
+
 bit_len = (buf_size - start) * 8;
 init_get_bits(&gb, buf + start, bit_len);
 
@@ -356,10 +359,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, 
AVSubtitle *sub_header,
 sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect));
 sub_header->num_rects = 1;
 sub_header->rects[0]->pict.data[0] = bitmap;
-decode_rle(bitmap, w * 2, w, (h + 1) / 2,
-   buf, offset1, buf_size, is_8bit);
-decode_rle(bitmap + w, w * 2, w, h / 2,
-   buf, offset2, buf_size, is_8bit);
+if (decode_rle(bitmap, w * 2, w, (h + 1) / 2,
+   buf, offset1, buf_size, is_8bit) < 0)
+goto fail;
+if (decode_rle(bitmap + w, w * 2, w, h / 2,
+   buf, offset2, buf_size, is_8bit) < 0)
+goto fail;
 sub_header->rects[0]->pict.data[1] = 
av_mallocz(AVPALETTE_SIZE);
 if (is_8bit) {
 if (yuv_palette == 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses

2015-01-13 Thread wm4

ffmpeg | branch: release/2.4 | wm4  | Mon Jan  5 
04:45:26 2015 +0100| [e2e145db89913e86e9b8573b1b90f001c46dee5e] | committer: 
Michael Niedermayer

avcodec/dvdsubdec: fix out of bounds accesses

The code blindly trusted buffer offsets read from the file in the RLE
decoder. Explicitly check the offset. Also error out on other RLE
decoding errors.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e2e145db89913e86e9b8573b1b90f001c46dee5e
---

 libavcodec/dvdsubdec.c |   13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index 7355c03..5e22556 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -105,6 +105,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, 
int h,
 int x, y, len, color;
 uint8_t *d;
 
+if (start >= buf_size)
+return -1;
+
 bit_len = (buf_size - start) * 8;
 init_get_bits(&gb, buf + start, bit_len);
 
@@ -356,10 +359,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, 
AVSubtitle *sub_header,
 sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect));
 sub_header->num_rects = 1;
 sub_header->rects[0]->pict.data[0] = bitmap;
-decode_rle(bitmap, w * 2, w, (h + 1) / 2,
-   buf, offset1, buf_size, is_8bit);
-decode_rle(bitmap + w, w * 2, w, h / 2,
-   buf, offset2, buf_size, is_8bit);
+if (decode_rle(bitmap, w * 2, w, (h + 1) / 2,
+   buf, offset1, buf_size, is_8bit) < 0)
+goto fail;
+if (decode_rle(bitmap + w, w * 2, w, h / 2,
+   buf, offset2, buf_size, is_8bit) < 0)
+goto fail;
 sub_header->rects[0]->pict.data[1] = 
av_mallocz(AVPALETTE_SIZE);
 if (is_8bit) {
 if (!yuv_palette)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses

2015-01-09 Thread wm4

ffmpeg | branch: release/2.5 | wm4  | Mon Jan  5 
04:45:26 2015 +0100| [e0a12b3dc3a252412e91416ebbbf9449e82e4bd0] | committer: 
Michael Niedermayer

avcodec/dvdsubdec: fix out of bounds accesses

The code blindly trusted buffer offsets read from the file in the RLE
decoder. Explicitly check the offset. Also error out on other RLE
decoding errors.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e0a12b3dc3a252412e91416ebbbf9449e82e4bd0
---

 libavcodec/dvdsubdec.c |   13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index 39604f3..20b9d41 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -108,6 +108,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, 
int h,
 int x, y, len, color;
 uint8_t *d;
 
+if (start >= buf_size)
+return -1;
+
 bit_len = (buf_size - start) * 8;
 init_get_bits(&gb, buf + start, bit_len);
 
@@ -359,10 +362,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, 
AVSubtitle *sub_header,
 sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect));
 sub_header->num_rects = 1;
 sub_header->rects[0]->pict.data[0] = bitmap;
-decode_rle(bitmap, w * 2, w, (h + 1) / 2,
-   buf, offset1, buf_size, is_8bit);
-decode_rle(bitmap + w, w * 2, w, h / 2,
-   buf, offset2, buf_size, is_8bit);
+if (decode_rle(bitmap, w * 2, w, (h + 1) / 2,
+   buf, offset1, buf_size, is_8bit) < 0)
+goto fail;
+if (decode_rle(bitmap + w, w * 2, w, h / 2,
+   buf, offset2, buf_size, is_8bit) < 0)
+goto fail;
 sub_header->rects[0]->pict.data[1] = 
av_mallocz(AVPALETTE_SIZE);
 if (is_8bit) {
 if (!yuv_palette)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses

2015-01-06 Thread wm4

ffmpeg | branch: release/2.3 | wm4  | Mon Jan  5 
04:45:26 2015 +0100| [f03888b449faf2888a149cae3b340ea13c6f85fa] | committer: 
Michael Niedermayer

avcodec/dvdsubdec: fix out of bounds accesses

The code blindly trusted buffer offsets read from the file in the RLE
decoder. Explicitly check the offset. Also error out on other RLE
decoding errors.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f03888b449faf2888a149cae3b340ea13c6f85fa
---

 libavcodec/dvdsubdec.c |   13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index 39b0e25..7dbaf17 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -105,6 +105,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, 
int h,
 int x, y, len, color;
 uint8_t *d;
 
+if (start >= buf_size)
+return -1;
+
 bit_len = (buf_size - start) * 8;
 init_get_bits(&gb, buf + start, bit_len);
 
@@ -356,10 +359,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, 
AVSubtitle *sub_header,
 sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect));
 sub_header->num_rects = 1;
 sub_header->rects[0]->pict.data[0] = bitmap;
-decode_rle(bitmap, w * 2, w, (h + 1) / 2,
-   buf, offset1, buf_size, is_8bit);
-decode_rle(bitmap + w, w * 2, w, h / 2,
-   buf, offset2, buf_size, is_8bit);
+if (decode_rle(bitmap, w * 2, w, (h + 1) / 2,
+   buf, offset1, buf_size, is_8bit) < 0)
+goto fail;
+if (decode_rle(bitmap + w, w * 2, w, h / 2,
+   buf, offset2, buf_size, is_8bit) < 0)
+goto fail;
 sub_header->rects[0]->pict.data[1] = 
av_mallocz(AVPALETTE_SIZE);
 if (is_8bit) {
 if (yuv_palette == 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses

2015-01-05 Thread wm4

ffmpeg | branch: master | wm4  | Mon Jan  5 04:45:26 
2015 +0100| [c9151de7c42553bb145be608df8513c1287f1f24] | committer: Michael 
Niedermayer

avcodec/dvdsubdec: fix out of bounds accesses

The code blindly trusted buffer offsets read from the file in the RLE
decoder. Explicitly check the offset. Also error out on other RLE
decoding errors.

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c9151de7c42553bb145be608df8513c1287f1f24
---

 libavcodec/dvdsubdec.c |   13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index c7d85a6..2423cad 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -108,6 +108,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, 
int h,
 int x, y, len, color;
 uint8_t *d;
 
+if (start >= buf_size)
+return -1;
+
 bit_len = (buf_size - start) * 8;
 init_get_bits(&gb, buf + start, bit_len);
 
@@ -359,10 +362,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, 
AVSubtitle *sub_header,
 sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect));
 sub_header->num_rects = 1;
 sub_header->rects[0]->pict.data[0] = bitmap;
-decode_rle(bitmap, w * 2, w, (h + 1) / 2,
-   buf, offset1, buf_size, is_8bit);
-decode_rle(bitmap + w, w * 2, w, h / 2,
-   buf, offset2, buf_size, is_8bit);
+if (decode_rle(bitmap, w * 2, w, (h + 1) / 2,
+   buf, offset1, buf_size, is_8bit) < 0)
+goto fail;
+if (decode_rle(bitmap + w, w * 2, w, h / 2,
+   buf, offset2, buf_size, is_8bit) < 0)
+goto fail;
 sub_header->rects[0]->pict.data[1] = 
av_mallocz(AVPALETTE_SIZE);
 if (is_8bit) {
 if (!yuv_palette)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses

[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses

[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses

[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses

[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses

[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses

[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses

[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses

8 matches

Site Navigation

Mail list logo

Footer information