aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Rheinhardt <andreas.rheinhardt@gmail.com>2020-10-17 13:13:23 +0200
committerAndreas Rheinhardt <andreas.rheinhardt@gmail.com>2020-10-19 04:56:32 +0200
commita42695c07244991ceabf9996d086dda3fcc28fc1 (patch)
tree68a3cb767856b5060f5ace5fb0f46910f7487680
parent38cdd27e9b36183a74c19859a8092aca6e82d712 (diff)
downloadffmpeg-a42695c07244991ceabf9996d086dda3fcc28fc1.tar.gz
avcodec/movtextdec: Simplify checking for invalid extradata
Every font entry occupies at least three bytes, so checking early whether there is that much data available is a low-effort way to exclude invalid extradata. Doing so leads to an overall simplification. Reviewed-by: Philip Langdale <philipl@overt.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-rw-r--r--libavcodec/movtextdec.c18
1 files changed, 7 insertions, 11 deletions
diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c
index ad60c77519..e46c932c20 100644
--- a/libavcodec/movtextdec.c
+++ b/libavcodec/movtextdec.c
@@ -145,14 +145,13 @@ static void mov_text_cleanup_ftab(MovTextContext *m)
static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m)
{
uint8_t *tx3g_ptr = avctx->extradata;
- int i, box_size, font_length;
+ int i, font_length, remaining = avctx->extradata_size - BOX_SIZE_INITIAL;
int8_t v_align, h_align;
unsigned ftab_entries;
StyleBox s_default;
m->ftab_entries = 0;
- box_size = BOX_SIZE_INITIAL; /* Size till ftab_entries */
- if (avctx->extradata_size < box_size)
+ if (remaining < 0)
return -1;
// Display Flags
@@ -220,6 +219,9 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m)
ftab_entries = AV_RB16(tx3g_ptr);
if (!ftab_entries)
return 0;
+ remaining -= 3 * ftab_entries;
+ if (remaining < 0)
+ return AVERROR_INVALIDDATA;
m->ftab = av_calloc(ftab_entries, sizeof(*m->ftab));
if (!m->ftab)
return AVERROR(ENOMEM);
@@ -227,18 +229,12 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m)
tx3g_ptr += 2;
for (i = 0; i < m->ftab_entries; i++) {
-
- box_size += 3;
- if (avctx->extradata_size < box_size) {
- mov_text_cleanup_ftab(m);
- return -1;
- }
m->ftab[i].fontID = AV_RB16(tx3g_ptr);
tx3g_ptr += 2;
font_length = *tx3g_ptr++;
- box_size = box_size + font_length;
- if (avctx->extradata_size < box_size) {
+ remaining -= font_length;
+ if (remaining < 0) {
mov_text_cleanup_ftab(m);
return -1;
}