dvdsubdec: Validate the RLE offsets

author Luca Barbato <lu_zero@gentoo.org>

Wed, 11 Nov 2015 19:08:29 +0000 (20:08 +0100)

committer Luca Barbato <lu_zero@gentoo.org>

Tue, 17 Nov 2015 17:56:29 +0000 (18:56 +0100)
author Luca Barbato <lu_zero@gentoo.org>
Wed, 11 Nov 2015 19:08:29 +0000 (20:08 +0100)
committer Luca Barbato <lu_zero@gentoo.org>
Tue, 17 Nov 2015 17:56:29 +0000 (18:56 +0100)
diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c

index 15c49c40b69e1b31402da67fb29a7cb3c088eb40..da1a83f8129fe114a34a745cb94f950ebf7159c3 100644 (file)
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -178,13 +178,14 @@ static void guess_palette(DVDSubContext* ctx,
  static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
                                  const uint8_t *buf, int buf_size)
  {
-    int cmd_pos, pos, cmd, x1, y1, x2, y2, offset1, offset2, next_cmd_pos;
+    int cmd_pos, pos, cmd, x1, y1, x2, y2, next_cmd_pos;
      int big_offsets, offset_size, is_8bit = 0;
      const uint8_t *yuv_palette = 0;
      uint8_t colormap[4] = { 0 }, alpha[256] = { 0 };
      int date;
      int i;
      int is_menu = 0;
+    int64_t offset1, offset2;
  
      if (buf_size < 10)
          return -1;
@@ -302,6 +303,9 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
              }
          }
      the_end:
+        if (offset1 >= buf_size || offset2 >= buf_size)
+            goto fail;
+
          if (offset1 >= 0) {
              int w, h;
              uint8_t *bitmap;
author	Luca Barbato <lu_zero@gentoo.org>
	Wed, 11 Nov 2015 19:08:29 +0000 (20:08 +0100)
committer	Luca Barbato <lu_zero@gentoo.org>
	Tue, 17 Nov 2015 17:56:29 +0000 (18:56 +0100)