pgssubdec: Check RLE size before copying

Make sure the buffer size does not exceed the expected RLE size. Prevent an out of array bound write. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Bug-Id: CVE-2013-0852 Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit d98e6c5d5d80c1dfe0c30f2e73d41a3aea0b920d) Signed-off-by: Diego Biurrun <diego@biurrun.de>
author: Michael Niedermayer <michaelni@gmx.at> 2014-07-30 21:31:19 -0400
committer: Diego Biurrun <diego@biurrun.de> 2014-08-01 01:04:13 -0700
commit: a1f7844a11010d8552c75424d1a831b37a0ae5d9 (patch)
tree: 84ddc391a0e696472540d209a74b3721671e687f
parent: d396987c303bdc4eea7d1a1ff6776475d9bbd9ea (diff)
download: ffmpeg-a1f7844a11010d8552c75424d1a831b37a0ae5d9.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
index 2102a51653..3731a4c16b 100644
--- a/libavcodec/pgssubdec.c
+++ b/libavcodec/pgssubdec.c
@@ -196,6 +196,13 @@ static int parse_picture_segment(AVCodecContext *avctx,
     /* Decode rle bitmap length, stored size includes width/height data */
     rle_bitmap_len = bytestream_get_be24(&buf) - 2*2;
 
+    if (buf_size > rle_bitmap_len) {
+        av_log(avctx, AV_LOG_ERROR,
+               "Buffer dimension %d larger than the expected RLE data %d\n",
+               buf_size, rle_bitmap_len);
+        return AVERROR_INVALIDDATA;
+    }
+
     /* Get bitmap dimensions from data */
     width  = bytestream_get_be16(&buf);
     height = bytestream_get_be16(&buf);
author	Michael Niedermayer <michaelni@gmx.at>	2014-07-30 21:31:19 -0400
committer	Diego Biurrun <diego@biurrun.de>	2014-08-01 01:04:13 -0700
commit	a1f7844a11010d8552c75424d1a831b37a0ae5d9 (patch)
tree	84ddc391a0e696472540d209a74b3721671e687f
parent	d396987c303bdc4eea7d1a1ff6776475d9bbd9ea (diff)
download	ffmpeg-a1f7844a11010d8552c75424d1a831b37a0ae5d9.tar.gz