[FFmpeg-cvslog] pgssubdec: Check RLE size before copying

[Michael Niedermayer]

ffmpeg | branch: release/0.10 | Michael Niedermayer <michaelni at gmx.at> | Wed Jul 30 21:31:19 2014 -0400| [a465ed5707f5cbc9713d5e9629d424cd2d46e038] | committer: Diego Biurrun

pgssubdec: Check RLE size before copying

Make sure the buffer size does not exceed the expected
RLE size.

Prevent an out of array bound write.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
Bug-Id: CVE-2013-0852

Signed-off-by: Luca Barbato <lu_zero at gentoo.org>
(cherry picked from commit 00915d3cd2ce61db3d6dc11f63566630a9aff4ec)
Signed-off-by: Diego Biurrun <diego at biurrun.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a465ed5707f5cbc9713d5e9629d424cd2d46e038
---

 libavcodec/pgssubdec.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
index bcc47f3..ca6abcc 100644
--- a/libavcodec/pgssubdec.c
+++ b/libavcodec/pgssubdec.c
@@ -192,6 +192,13 @@ static int parse_picture_segment(AVCodecContext *avctx,
     /* Decode rle bitmap length, stored size includes width/height data */
     rle_bitmap_len = bytestream_get_be24(&buf) - 2*2;
 
+    if (buf_size > rle_bitmap_len) {
+        av_log(avctx, AV_LOG_ERROR,
+               "Buffer dimension %d larger than the expected RLE data %d\n",
+               buf_size, rle_bitmap_len);
+        return AVERROR_INVALIDDATA;
+    }
+
     /* Get bitmap dimensions from data */
     width  = bytestream_get_be16(&buf);
     height = bytestream_get_be16(&buf);