* modules/codec/dvbsub.c: more sanity checks.

author Gildas Bazin <gbazin@videolan.org>

Thu, 14 Oct 2004 10:10:48 +0000 (10:10 +0000)

committer Gildas Bazin <gbazin@videolan.org>

Thu, 14 Oct 2004 10:10:48 +0000 (10:10 +0000)
author Gildas Bazin <gbazin@videolan.org>
Thu, 14 Oct 2004 10:10:48 +0000 (10:10 +0000)
committer Gildas Bazin <gbazin@videolan.org>
Thu, 14 Oct 2004 10:10:48 +0000 (10:10 +0000)
diff --git a/modules/codec/dvbsub.c b/modules/codec/dvbsub.c

index 8b3cb703c3b2b6c91c0aa4271080f864d7f4d9c7..e48a313a8b24962644eccea9ddfb5e246f46d3ae 100644 (file)
--- a/modules/codec/dvbsub.c
+++ b/modules/codec/dvbsub.c
@@ -842,6 +842,16 @@ static void decode_object( decoder_t *p_dec, bs_t *s )
          p_topfield    = s->p_start + bs_pos( s ) / 8;
          p_bottomfield = p_topfield + i_topfield;
  
+        bs_skip( s, 8 * (i_segment_length - 7) );
+
+        /* Sanity check */
+        if( i_segment_length < i_topfield + i_bottomfield + 7 ||
+            s->p_start + i_topfield + i_bottomfield > s->p_end )
+        {
+            msg_Dbg( p_dec, "corrupted object data" );
+            return;
+        }
+
          for( p_region = p_sys->p_regions; p_region != NULL;
               p_region = p_region->p_next )
          {
@@ -853,18 +863,24 @@ static void decode_object( decoder_t *p_dec, bs_t *s )
                                       p_region->p_object_defs[i].i_x,
                                       p_region->p_object_defs[i].i_y,
                                       p_topfield, i_topfield );
-                dvbsub_render_pdata( p_dec, p_region,
-                                     p_region->p_object_defs[i].i_x,
-                                     p_region->p_object_defs[i].i_y + 1,
-                                     p_bottomfield, i_bottomfield );
+
+                if( i_bottomfield )
+                {
+                    dvbsub_render_pdata( p_dec, p_region,
+                                         p_region->p_object_defs[i].i_x,
+                                         p_region->p_object_defs[i].i_y + 1,
+                                         p_bottomfield, i_bottomfield );
+                }
+                else
+                {
+                    /* Duplicate the top field */
+                    dvbsub_render_pdata( p_dec, p_region,
+                                         p_region->p_object_defs[i].i_x,
+                                         p_region->p_object_defs[i].i_y + 1,
+                                         p_topfield, i_topfield );
+                }
              }
          }
-
-        bs_skip( s, (i_topfield + i_bottomfield) * 8 );
-
-        /* Check word-alignement */
-        bs_align( s );
-        if( bs_pos( s ) % 16 ) bs_skip( s, 8 );
      }
      else
      {
author	Gildas Bazin <gbazin@videolan.org>
	Thu, 14 Oct 2004 10:10:48 +0000 (10:10 +0000)
committer	Gildas Bazin <gbazin@videolan.org>
	Thu, 14 Oct 2004 10:10:48 +0000 (10:10 +0000)