[FFmpeg-cvslog] avcodec/pgssubdec: Check input buffer size in parse_presentation_segment()

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Mon Jun 30 18:23:08 2014 +0200| [89bcb77726e222aee9d8536f0310d805f7d39fac] | committer: Michael Niedermayer

avcodec/pgssubdec: Check input buffer size in parse_presentation_segment()

Might fix overread, no testcase known though.

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=89bcb77726e222aee9d8536f0310d805f7d39fac
---

 libavcodec/pgssubdec.c |    8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
index bbcbad0..d1be074 100644
--- a/libavcodec/pgssubdec.c
+++ b/libavcodec/pgssubdec.c
@@ -380,6 +380,7 @@ static int parse_presentation_segment(AVCodecContext *avctx,
 {
     PGSSubContext *ctx = avctx->priv_data;
     int i, state, ret;
+    const uint8_t *buf_end = buf + buf_size;
 
     // Video descriptor
     int w = bytestream_get_be16(&buf);
@@ -433,6 +434,13 @@ static int parse_presentation_segment(AVCodecContext *avctx,
 
     for (i = 0; i < ctx->presentation.object_count; i++)
     {
+
+        if (buf_end - buf < 8) {
+            av_log(avctx, AV_LOG_ERROR, "Insufficent space for object\n");
+            ctx->presentation.object_count = i;
+            return AVERROR_INVALIDDATA;
+        }
+
         ctx->presentation.objects[i].id = bytestream_get_be16(&buf);
         ctx->presentation.objects[i].window_id = bytestream_get_byte(&buf);
         ctx->presentation.objects[i].composition_flag = bytestream_get_byte(&buf);