Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/FFmpeg/FFmpeg.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorwm4 <nfxjfg@googlemail.com>2015-09-21 19:22:35 +0300
committerwm4 <nfxjfg@googlemail.com>2015-09-22 18:41:01 +0300
commit9aab22223908180cbfc3c5fa1b19b58d806b5097 (patch)
treee323842b08df512d585d16563b4a9349762af935 /libavcodec/dvdsubdec.c
parentf874e2728b0925b2ec30dd7ec64815f15078c06f (diff)
avcodec/dvdsubdec: reject some broken packets
If cmd_pos is broken, this would just keep accumulating packets in the reassembly buffer, until it fails and flushes the buffer on overflow. Since packets are usually rather small, this will take a lot of subtitle packets. The perceived effect is that subtitles are not displayed anymore after the faulty packet was passed to the decoder. I'm not terribly sure about this, but on the other hand this code is active only when fragmented packets need to be reassembled. Fixes sample file in trac issue #4872.
Diffstat (limited to 'libavcodec/dvdsubdec.c')
-rw-r--r--libavcodec/dvdsubdec.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index 57eafbf270..b7285a428a 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -227,6 +227,7 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
int date;
int i;
int is_menu = 0;
+ uint32_t size;
if (buf_size < 10)
return -1;
@@ -241,10 +242,16 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
cmd_pos = 2;
}
+ size = READ_OFFSET(buf + (big_offsets ? 2 : 0));
cmd_pos = READ_OFFSET(buf + cmd_pos);
- if (cmd_pos < 0 || cmd_pos > buf_size - 2 - offset_size)
+ if (cmd_pos < 0 || cmd_pos > buf_size - 2 - offset_size) {
+ if (cmd_pos > size) {
+ av_log(ctx, AV_LOG_ERROR, "Discarding invalid packet\n");
+ return 0;
+ }
return AVERROR(EAGAIN);
+ }
while (cmd_pos > 0 && cmd_pos < buf_size - 2 - offset_size) {
date = AV_RB16(buf + cmd_pos);