diff options
author | Derek Buitenhuis <derek.buitenhuis@gmail.com> | 2015-11-22 20:15:21 +0300 |
---|---|---|
committer | Derek Buitenhuis <derek.buitenhuis@gmail.com> | 2015-11-22 20:15:21 +0300 |
commit | cde68661bfa5a3049c08e79f1e38a3df597f18d8 (patch) | |
tree | 442b4103b4959cff953858cb8bd08afc007a844c /libavcodec/dvdsubdec.c | |
parent | df8e24be5da2f9a8b0bd86dbbd1b0bf508bac003 (diff) | |
parent | 5c30ae1a09b66179e16694f6137658023ed1fef3 (diff) |
Merge commit '5c30ae1a09b66179e16694f6137658023ed1fef3'
* commit '5c30ae1a09b66179e16694f6137658023ed1fef3':
dvdsubdec: Validate the RLE offsets
Conflicts:
libavcodec/dvdsubdec.c
Merged-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Diffstat (limited to 'libavcodec/dvdsubdec.c')
-rw-r--r-- | libavcodec/dvdsubdec.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 014b0a3a83..fe938591ef 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -220,7 +220,7 @@ static void reset_rects(AVSubtitle *sub_header) static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, const uint8_t *buf, int buf_size) { - int cmd_pos, pos, cmd, x1, y1, x2, y2, offset1, offset2, next_cmd_pos; + int cmd_pos, pos, cmd, x1, y1, x2, y2, next_cmd_pos; int big_offsets, offset_size, is_8bit = 0; const uint8_t *yuv_palette = NULL; uint8_t *colormap = ctx->colormap, *alpha = ctx->alpha; @@ -228,6 +228,7 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, int i; int is_menu = 0; uint32_t size; + int64_t offset1, offset2; if (buf_size < 10) return -1; @@ -353,6 +354,9 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, } } the_end: + if (offset1 >= buf_size || offset2 >= buf_size) + goto fail; + if (offset1 >= 0 && offset2 >= 0) { int w, h; uint8_t *bitmap; |