RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-03-02 02:30:58 +00:00
Code Issues Projects Releases Wiki Activity

pgssubdec: Check RLE size before copying

Browse Source 
Make sure the buffer size does not exceed the expected
RLE size.

Prevent an out of array bound write.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Bug-Id: CVE-2013-0852

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This commit is contained in:
Michael Niedermayer 2014-07-30 21:31:19 -04:00 committed by Luca Barbato
parent a0ce85ac7d
commit d98e6c5d5d
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libavcodec/pgssubdec.c
View File

@ -275,6 +275,13 @@ static int parse_object_segment(AVCodecContext *avctx,
/* Decode rle bitmap length, stored size includes width/height data */ /* Decode rle bitmap length, stored size includes width/height data */
rle_bitmap_len = bytestream_get_be24(&buf) - 2*2; rle_bitmap_len = bytestream_get_be24(&buf) - 2*2;
if (buf_size > rle_bitmap_len) {
av_log(avctx, AV_LOG_ERROR,
"Buffer dimension %d larger than the expected RLE data %d\n",
buf_size, rle_bitmap_len);
return AVERROR_INVALIDDATA;
}
/* Get bitmap dimensions from data */ /* Get bitmap dimensions from data */
width = bytestream_get_be16(&buf); width = bytestream_get_be16(&buf);
height = bytestream_get_be16(&buf); height = bytestream_get_be16(&buf);