ffmpeg | branch: master | Luca Barbato <lu_z...@gentoo.org> | Wed Nov 11 20:08:29 2015 +0100| [5c30ae1a09b66179e16694f6137658023ed1fef3] | committer: Luca Barbato
dvdsubdec: Validate the RLE offsets CC: libav-sta...@libav.org > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5c30ae1a09b66179e16694f6137658023ed1fef3 --- libavcodec/dvdsubdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 15c49c4..da1a83f 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -178,13 +178,14 @@ static void guess_palette(DVDSubContext* ctx, static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, const uint8_t *buf, int buf_size) { - int cmd_pos, pos, cmd, x1, y1, x2, y2, offset1, offset2, next_cmd_pos; + int cmd_pos, pos, cmd, x1, y1, x2, y2, next_cmd_pos; int big_offsets, offset_size, is_8bit = 0; const uint8_t *yuv_palette = 0; uint8_t colormap[4] = { 0 }, alpha[256] = { 0 }; int date; int i; int is_menu = 0; + int64_t offset1, offset2; if (buf_size < 10) return -1; @@ -302,6 +303,9 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, } } the_end: + if (offset1 >= buf_size || offset2 >= buf_size) + goto fail; + if (offset1 >= 0) { int w, h; uint8_t *bitmap; _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog