diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2014-07-30 21:31:19 -0400 |
---|---|---|
committer | Diego Biurrun <diego@biurrun.de> | 2014-08-01 01:04:13 -0700 |
commit | a1f7844a11010d8552c75424d1a831b37a0ae5d9 (patch) | |
tree | 84ddc391a0e696472540d209a74b3721671e687f /libavcodec | |
parent | d396987c303bdc4eea7d1a1ff6776475d9bbd9ea (diff) | |
download | ffmpeg-a1f7844a11010d8552c75424d1a831b37a0ae5d9.tar.gz |
pgssubdec: Check RLE size before copying
Make sure the buffer size does not exceed the expected
RLE size.
Prevent an out of array bound write.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Bug-Id: CVE-2013-0852
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit d98e6c5d5d80c1dfe0c30f2e73d41a3aea0b920d)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/pgssubdec.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 2102a51653..3731a4c16b 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -196,6 +196,13 @@ static int parse_picture_segment(AVCodecContext *avctx, /* Decode rle bitmap length, stored size includes width/height data */ rle_bitmap_len = bytestream_get_be24(&buf) - 2*2; + if (buf_size > rle_bitmap_len) { + av_log(avctx, AV_LOG_ERROR, + "Buffer dimension %d larger than the expected RLE data %d\n", + buf_size, rle_bitmap_len); + return AVERROR_INVALIDDATA; + } + /* Get bitmap dimensions from data */ width = bytestream_get_be16(&buf); height = bytestream_get_be16(&buf); |