pgssubdec: check RLE size before copying. Fix out of array accesses

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
index 2876c6ac32112345665bd2862a1925f850da7dbf..a303c08b8022297dcd12d5029d663aee6e731ce7 100644 (file)
--- a/libavcodec/pgssubdec.c
+++ b/libavcodec/pgssubdec.c
@@ -222,6 +222,11 @@ static int parse_picture_segment(AVCodecContext *avctx,
         return -1;
     }
 
+    if (buf_size > rle_bitmap_len) {
+        av_log(avctx, AV_LOG_ERROR, "too much RLE data\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     ctx->pictures[picture_id].w = width;
     ctx->pictures[picture_id].h = height;