[FFmpeg-devel] [PATCH] dvdsubdec make pos values unsigned

Reimar Döffinger Reimar.Doeffinger
Thu Aug 13 13:31:01 CEST 2009


On Thu, Aug 13, 2009 at 01:25:20PM +0200, Reimar D?ffinger wrote:
> Hello,
> dvdsubdec reads 32 bit values into e.g. cmd_pos and then checks its
> validity with e.g.
> while ((cmd_pos + 2 + offset_size) < buf_size) {
> which obviously is not correct.
> I suggest the simplest fix of making these variables unsigned:

Forget that, that's almost as wrong.
This one I think works and is sufficient:
Index: dvdsubdec.c
===================================================================
--- dvdsubdec.c (revision 19613)
+++ dvdsubdec.c (working copy)
@@ -191,7 +191,7 @@
 
     cmd_pos = READ_OFFSET(buf + cmd_pos);
 
-    while ((cmd_pos + 2 + offset_size) < buf_size) {
+    while (cmd_pos > 0 && cmd_pos < buf_size - 2 - offset_size) {
         date = AV_RB16(buf + cmd_pos);
         next_cmd_pos = READ_OFFSET(buf + cmd_pos + 2);
         dprintf(NULL, "cmd_pos=0x%04x next=0x%04x date=%d\n",



More information about the ffmpeg-devel mailing list