mirror of https://git.ffmpeg.org/ffmpeg.git
pgssubdec: Check RLE size before copying
Make sure the buffer size does not exceed the expected RLE size. Prevent an out of array bound write. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Bug-Id: CVE-2013-0852 Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This commit is contained in:
parent
a0ce85ac7d
commit
d98e6c5d5d
|
@ -275,6 +275,13 @@ static int parse_object_segment(AVCodecContext *avctx,
|
|||
/* Decode rle bitmap length, stored size includes width/height data */
|
||||
rle_bitmap_len = bytestream_get_be24(&buf) - 2*2;
|
||||
|
||||
if (buf_size > rle_bitmap_len) {
|
||||
av_log(avctx, AV_LOG_ERROR,
|
||||
"Buffer dimension %d larger than the expected RLE data %d\n",
|
||||
buf_size, rle_bitmap_len);
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
|
||||
/* Get bitmap dimensions from data */
|
||||
width = bytestream_get_be16(&buf);
|
||||
height = bytestream_get_be16(&buf);
|
||||
|
|
Loading…
Reference in New Issue