aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2014-07-30 21:31:19 -0400
committerLuca Barbato <lu_zero@gentoo.org>2014-08-01 02:13:32 +0200
commitd98e6c5d5d80c1dfe0c30f2e73d41a3aea0b920d (patch)
treef36824bc772fa0c6bd8c4efc8f7e702d3f53d6fa
parenta0ce85ac7de098d3f9b53b51b77a09bad700a011 (diff)
downloadffmpeg-d98e6c5d5d80c1dfe0c30f2e73d41a3aea0b920d.tar.gz
pgssubdec: Check RLE size before copying
Make sure the buffer size does not exceed the expected RLE size. Prevent an out of array bound write. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Bug-Id: CVE-2013-0852 Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
-rw-r--r--libavcodec/pgssubdec.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
index 1cafd9f832..6217c406d9 100644
--- a/libavcodec/pgssubdec.c
+++ b/libavcodec/pgssubdec.c
@@ -275,6 +275,13 @@ static int parse_object_segment(AVCodecContext *avctx,
/* Decode rle bitmap length, stored size includes width/height data */
rle_bitmap_len = bytestream_get_be24(&buf) - 2*2;
+ if (buf_size > rle_bitmap_len) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Buffer dimension %d larger than the expected RLE data %d\n",
+ buf_size, rle_bitmap_len);
+ return AVERROR_INVALIDDATA;
+ }
+
/* Get bitmap dimensions from data */
width = bytestream_get_be16(&buf);
height = bytestream_get_be16(&buf);