mirror of https://git.ffmpeg.org/ffmpeg.git
avcodec/pgssubdec: Check input buffer size in parse_presentation_segment()
Might fix overread, no testcase known though. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
parent
ae9a73de2a
commit
89bcb77726
|
@ -380,6 +380,7 @@ static int parse_presentation_segment(AVCodecContext *avctx,
|
||||||
{
|
{
|
||||||
PGSSubContext *ctx = avctx->priv_data;
|
PGSSubContext *ctx = avctx->priv_data;
|
||||||
int i, state, ret;
|
int i, state, ret;
|
||||||
|
const uint8_t *buf_end = buf + buf_size;
|
||||||
|
|
||||||
// Video descriptor
|
// Video descriptor
|
||||||
int w = bytestream_get_be16(&buf);
|
int w = bytestream_get_be16(&buf);
|
||||||
|
@ -433,6 +434,13 @@ static int parse_presentation_segment(AVCodecContext *avctx,
|
||||||
|
|
||||||
for (i = 0; i < ctx->presentation.object_count; i++)
|
for (i = 0; i < ctx->presentation.object_count; i++)
|
||||||
{
|
{
|
||||||
|
|
||||||
|
if (buf_end - buf < 8) {
|
||||||
|
av_log(avctx, AV_LOG_ERROR, "Insufficent space for object\n");
|
||||||
|
ctx->presentation.object_count = i;
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
}
|
||||||
|
|
||||||
ctx->presentation.objects[i].id = bytestream_get_be16(&buf);
|
ctx->presentation.objects[i].id = bytestream_get_be16(&buf);
|
||||||
ctx->presentation.objects[i].window_id = bytestream_get_byte(&buf);
|
ctx->presentation.objects[i].window_id = bytestream_get_byte(&buf);
|
||||||
ctx->presentation.objects[i].composition_flag = bytestream_get_byte(&buf);
|
ctx->presentation.objects[i].composition_flag = bytestream_get_byte(&buf);
|
||||||
|
|
Loading…
Reference in New Issue