diff options
| author | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2020-10-17 13:13:23 +0200 |
|---|---|---|
| committer | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2021-02-27 07:20:58 +0100 |
| commit | b4a96efdda22e3f0e0e4f1e3fcfe556d3b4639fb (patch) | |
| tree | 00229ce446dcccc35fb312325764d85150388c9f | |
| parent | 59b8634411ba2a6c7700968b3af5b400b14f0f41 (diff) | |
| download | ffmpeg-b4a96efdda22e3f0e0e4f1e3fcfe556d3b4639fb.tar.gz | |
avcodec/movtextdec: Simplify checking for invalid extradata
Every font entry occupies at least three bytes, so checking early
whether there is that much data available is a low-effort way to exclude
invalid extradata. Doing so leads to an overall simplification.
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit a42695c07244991ceabf9996d086dda3fcc28fc1)
| -rw-r--r-- | libavcodec/movtextdec.c | 18 |
1 files changed, 7 insertions, 11 deletions
diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index ad60c77519..e46c932c20 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -145,14 +145,13 @@ static void mov_text_cleanup_ftab(MovTextContext *m) static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) { uint8_t *tx3g_ptr = avctx->extradata; - int i, box_size, font_length; + int i, font_length, remaining = avctx->extradata_size - BOX_SIZE_INITIAL; int8_t v_align, h_align; unsigned ftab_entries; StyleBox s_default; m->ftab_entries = 0; - box_size = BOX_SIZE_INITIAL; /* Size till ftab_entries */ - if (avctx->extradata_size < box_size) + if (remaining < 0) return -1; // Display Flags @@ -220,6 +219,9 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) ftab_entries = AV_RB16(tx3g_ptr); if (!ftab_entries) return 0; + remaining -= 3 * ftab_entries; + if (remaining < 0) + return AVERROR_INVALIDDATA; m->ftab = av_calloc(ftab_entries, sizeof(*m->ftab)); if (!m->ftab) return AVERROR(ENOMEM); @@ -227,18 +229,12 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) tx3g_ptr += 2; for (i = 0; i < m->ftab_entries; i++) { - - box_size += 3; - if (avctx->extradata_size < box_size) { - mov_text_cleanup_ftab(m); - return -1; - } m->ftab[i].fontID = AV_RB16(tx3g_ptr); tx3g_ptr += 2; font_length = *tx3g_ptr++; - box_size = box_size + font_length; - if (avctx->extradata_size < box_size) { + remaining -= font_length; + if (remaining < 0) { mov_text_cleanup_ftab(m); return -1; } |