RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

avcodec/dvdsubdec: fix out of bounds accesses 

The code blindly trusted buffer offsets read from the file in the RLE
decoder. Explicitly check the offset. Also error out on other RLE
decoding errors.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
wm4 2015-01-05 04:45:26 +01:00 committed by Michael Niedermayer
parent beedeb4399
commit c9151de7c4
1 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
libavcodec/dvdsubdec.c
View File

@ -108,6 +108,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h,
int x, y, len, color;
uint8_t *d;
if (start >= buf_size)
return -1;
bit_len = (buf_size - start) * 8;
init_get_bits(&gb, buf + start, bit_len);
@ -359,10 +362,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect));
sub_header->num_rects = 1;
sub_header->rects[0]->pict.data[0] = bitmap;
decode_rle(bitmap, w * 2, w, (h + 1) / 2,
buf, offset1, buf_size, is_8bit);
decode_rle(bitmap + w, w * 2, w, h / 2,
buf, offset2, buf_size, is_8bit);
if (decode_rle(bitmap, w * 2, w, (h + 1) / 2,
buf, offset1, buf_size, is_8bit) < 0)
goto fail;
if (decode_rle(bitmap + w, w * 2, w, h / 2,
buf, offset2, buf_size, is_8bit) < 0)
goto fail;
sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE);
if (is_8bit) {
if (!yuv_palette)