dvdsubdec: Validate the RLE offsets

Message ID 20151117212616.7DE765DA9D@aruru.libav.org
State New
Headers show

Commit Message

Janne Grunau Nov. 17, 2015, 9:26 p.m.
Module: libav
Branch: master
Commit: 5c30ae1a09b66179e16694f6137658023ed1fef3

Author:    Luca Barbato <lu_zero@gentoo.org>
Committer: Luca Barbato <lu_zero@gentoo.org>
Date:      Wed Nov 11 20:08:29 2015 +0100

dvdsubdec: Validate the RLE offsets

CC: libav-stable@libav.org

---

 libavcodec/dvdsubdec.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Patch

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index 15c49c4..da1a83f 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -178,13 +178,14 @@  static void guess_palette(DVDSubContext* ctx,
 static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
                                 const uint8_t *buf, int buf_size)
 {
-    int cmd_pos, pos, cmd, x1, y1, x2, y2, offset1, offset2, next_cmd_pos;
+    int cmd_pos, pos, cmd, x1, y1, x2, y2, next_cmd_pos;
     int big_offsets, offset_size, is_8bit = 0;
     const uint8_t *yuv_palette = 0;
     uint8_t colormap[4] = { 0 }, alpha[256] = { 0 };
     int date;
     int i;
     int is_menu = 0;
+    int64_t offset1, offset2;
 
     if (buf_size < 10)
         return -1;
@@ -302,6 +303,9 @@  static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
             }
         }
     the_end:
+        if (offset1 >= buf_size || offset2 >= buf_size)
+            goto fail;
+
         if (offset1 >= 0) {
             int w, h;
             uint8_t *bitmap;