[FFmpeg-cvslog] avcodec/dvdsubdec: fix out of bounds accesses
wm4
git at videolan.org
Fri Jan 9 17:32:15 CET 2015
ffmpeg | branch: release/2.5 | wm4 <nfxjfg at googlemail.com> | Mon Jan 5 04:45:26 2015 +0100| [e0a12b3dc3a252412e91416ebbbf9449e82e4bd0] | committer: Michael Niedermayer
avcodec/dvdsubdec: fix out of bounds accesses
The code blindly trusted buffer offsets read from the file in the RLE
decoder. Explicitly check the offset. Also error out on other RLE
decoding errors.
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e0a12b3dc3a252412e91416ebbbf9449e82e4bd0
---
libavcodec/dvdsubdec.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index 39604f3..20b9d41 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -108,6 +108,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h,
int x, y, len, color;
uint8_t *d;
+ if (start >= buf_size)
+ return -1;
+
bit_len = (buf_size - start) * 8;
init_get_bits(&gb, buf + start, bit_len);
@@ -359,10 +362,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect));
sub_header->num_rects = 1;
sub_header->rects[0]->pict.data[0] = bitmap;
- decode_rle(bitmap, w * 2, w, (h + 1) / 2,
- buf, offset1, buf_size, is_8bit);
- decode_rle(bitmap + w, w * 2, w, h / 2,
- buf, offset2, buf_size, is_8bit);
+ if (decode_rle(bitmap, w * 2, w, (h + 1) / 2,
+ buf, offset1, buf_size, is_8bit) < 0)
+ goto fail;
+ if (decode_rle(bitmap + w, w * 2, w, h / 2,
+ buf, offset2, buf_size, is_8bit) < 0)
+ goto fail;
sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE);
if (is_8bit) {
if (!yuv_palette)
More information about the ffmpeg-cvslog
mailing list