avcodec/pgssubdec: Check input buffer size in parse_presentation_segment()

Might fix overread, no testcase known though. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2014-06-30 18:23:08 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2014-06-30 18:23:08 +0200
commit: 89bcb77726e222aee9d8536f0310d805f7d39fac (patch)
tree: ca2361c768f09389978d76e85240cb43d9a6e45f
parent: ae9a73de2a2fa47e54107765da0cd9b71b4ad8e3 (diff)
download: ffmpeg-89bcb77726e222aee9d8536f0310d805f7d39fac.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
index bbcbad014c..d1be074138 100644
--- a/libavcodec/pgssubdec.c
+++ b/libavcodec/pgssubdec.c
@@ -380,6 +380,7 @@ static int parse_presentation_segment(AVCodecContext *avctx,
 {
     PGSSubContext *ctx = avctx->priv_data;
     int i, state, ret;
+    const uint8_t *buf_end = buf + buf_size;
 
     // Video descriptor
     int w = bytestream_get_be16(&buf);
@@ -433,6 +434,13 @@ static int parse_presentation_segment(AVCodecContext *avctx,
 
     for (i = 0; i < ctx->presentation.object_count; i++)
     {
+
+        if (buf_end - buf < 8) {
+            av_log(avctx, AV_LOG_ERROR, "Insufficent space for object\n");
+            ctx->presentation.object_count = i;
+            return AVERROR_INVALIDDATA;
+        }
+
         ctx->presentation.objects[i].id = bytestream_get_be16(&buf);
         ctx->presentation.objects[i].window_id = bytestream_get_byte(&buf);
         ctx->presentation.objects[i].composition_flag = bytestream_get_byte(&buf);
author	Michael Niedermayer <michaelni@gmx.at>	2014-06-30 18:23:08 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2014-06-30 18:23:08 +0200
commit	89bcb77726e222aee9d8536f0310d805f7d39fac (patch)
tree	ca2361c768f09389978d76e85240cb43d9a6e45f
parent	ae9a73de2a2fa47e54107765da0cd9b71b4ad8e3 (diff)
download	ffmpeg-89bcb77726e222aee9d8536f0310d805f7d39fac.tar.gz