RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

dvbsubdec: check against buffer overreads 

Signed-off-by: Janne Grunau <janne-ffmpeg@jannau.net>
(cherry picked from commit 493aa30adf)
This commit is contained in:
Janne Grunau 2011-02-09 23:23:22 +01:00 committed by Michael Niedermayer
parent 20708223db
commit 1a08928538
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
libavcodec/dvbsubdec.c
View File

@ -1423,13 +1423,15 @@ static int dvbsub_decode(AVCodecContext *avctx,
#endif #endif
if (buf_size <= 2 || *buf != 0x0f) if (buf_size <= 6 || *buf != 0x0f) {
av_dlog(avctx, "incomplete or broken packet");
return -1; return -1;
}
p = buf; p = buf;
p_end = buf + buf_size; p_end = buf + buf_size;
while (p < p_end && *p == 0x0f) { while (p_end - p >= 6 && *p == 0x0f) {
p += 1; p += 1;
segment_type = *p++; segment_type = *p++;
page_id = AV_RB16(p); page_id = AV_RB16(p);
@ -1437,6 +1439,11 @@ static int dvbsub_decode(AVCodecContext *avctx,
segment_length = AV_RB16(p); segment_length = AV_RB16(p);
p += 2; p += 2;
if (p_end - p < segment_length) {
av_dlog(avctx, "incomplete or broken packet");
return -1;
}
if (page_id == ctx->composition_id || page_id == ctx->ancillary_id || if (page_id == ctx->composition_id || page_id == ctx->ancillary_id ||
ctx->composition_id == -1 || ctx->ancillary_id == -1) { ctx->composition_id == -1 || ctx->ancillary_id == -1) {
switch (segment_type) { switch (segment_type) {