aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJindrich Makovicka <makovick@gmail.com>2011-02-05 11:39:51 +0100
committerMichael Niedermayer <michaelni@gmx.at>2011-02-07 16:56:49 +0100
commit52b2e95cd9f829b83b879a0694173d4ef1558c46 (patch)
treead6f3a2f4d5637ba555ef457245b18f9ce362456
parent6a495e986fa4f88ba000bd004b671ae041ebd4f3 (diff)
downloadffmpeg-52b2e95cd9f829b83b879a0694173d4ef1558c46.tar.gz
dvdsubdec.c: prevent input buffer overflow
In some places, dvbsubdec passes improper input buffer size to bitstream reading functions, not accounting for reading pointer updates. Fixed by using buffer_end - buffer pointer instead of fixed buffer length. Signed-off-by: Jindrich Makovicka <makovick@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/dvbsubdec.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c
index fe9879822f..8cc8d4fc83 100644
--- a/libavcodec/dvbsubdec.c
+++ b/libavcodec/dvbsubdec.c
@@ -792,7 +792,7 @@ static void dvbsub_parse_pixel_data_block(AVCodecContext *avctx, DVBSubObjectDis
map_table = NULL;
x_pos += dvbsub_read_2bit_string(pbuf + (y_pos * region->width) + x_pos,
- region->width - x_pos, &buf, buf_size,
+ region->width - x_pos, &buf, buf_end - buf,
non_mod, map_table);
break;
case 0x11:
@@ -807,7 +807,7 @@ static void dvbsub_parse_pixel_data_block(AVCodecContext *avctx, DVBSubObjectDis
map_table = NULL;
x_pos += dvbsub_read_4bit_string(pbuf + (y_pos * region->width) + x_pos,
- region->width - x_pos, &buf, buf_size,
+ region->width - x_pos, &buf, buf_end - buf,
non_mod, map_table);
break;
case 0x12:
@@ -817,7 +817,7 @@ static void dvbsub_parse_pixel_data_block(AVCodecContext *avctx, DVBSubObjectDis
}
x_pos += dvbsub_read_8bit_string(pbuf + (y_pos * region->width) + x_pos,
- region->width - x_pos, &buf, buf_size,
+ region->width - x_pos, &buf, buf_end - buf,
non_mod, NULL);
break;