diff options
author | Jindrich Makovicka <makovick@gmail.com> | 2011-02-05 11:39:51 +0100 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2011-02-07 16:56:49 +0100 |
commit | 52b2e95cd9f829b83b879a0694173d4ef1558c46 (patch) | |
tree | ad6f3a2f4d5637ba555ef457245b18f9ce362456 | |
parent | 6a495e986fa4f88ba000bd004b671ae041ebd4f3 (diff) | |
download | ffmpeg-52b2e95cd9f829b83b879a0694173d4ef1558c46.tar.gz |
dvdsubdec.c: prevent input buffer overflow
In some places, dvbsubdec passes improper input buffer size to
bitstream reading functions, not accounting for reading pointer
updates.
Fixed by using buffer_end - buffer pointer instead of fixed buffer length.
Signed-off-by: Jindrich Makovicka <makovick@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavcodec/dvbsubdec.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index fe9879822f..8cc8d4fc83 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -792,7 +792,7 @@ static void dvbsub_parse_pixel_data_block(AVCodecContext *avctx, DVBSubObjectDis map_table = NULL; x_pos += dvbsub_read_2bit_string(pbuf + (y_pos * region->width) + x_pos, - region->width - x_pos, &buf, buf_size, + region->width - x_pos, &buf, buf_end - buf, non_mod, map_table); break; case 0x11: @@ -807,7 +807,7 @@ static void dvbsub_parse_pixel_data_block(AVCodecContext *avctx, DVBSubObjectDis map_table = NULL; x_pos += dvbsub_read_4bit_string(pbuf + (y_pos * region->width) + x_pos, - region->width - x_pos, &buf, buf_size, + region->width - x_pos, &buf, buf_end - buf, non_mod, map_table); break; case 0x12: @@ -817,7 +817,7 @@ static void dvbsub_parse_pixel_data_block(AVCodecContext *avctx, DVBSubObjectDis } x_pos += dvbsub_read_8bit_string(pbuf + (y_pos * region->width) + x_pos, - region->width - x_pos, &buf, buf_size, + region->width - x_pos, &buf, buf_end - buf, non_mod, NULL); break; |