Browse code
dvbsubdec: check against buffer overreads
Signed-off-by: Janne Grunau <janne-ffmpeg@jannau.net>
(cherry picked from commit 493aa30adf88baf5bc734072592a22db586f0cfb)
Janne Grunau authored on 2011/02/10 07:23:22Showing 1 changed files
| ... | ... |
@@ -1423,13 +1423,15 @@ static int dvbsub_decode(AVCodecContext *avctx, |
| 1423 | 1423 |
|
| 1424 | 1424 |
#endif |
| 1425 | 1425 |
|
| 1426 |
- if (buf_size <= 2 || *buf != 0x0f) |
|
| 1426 |
+ if (buf_size <= 6 || *buf != 0x0f) {
|
|
| 1427 |
+ av_dlog(avctx, "incomplete or broken packet"); |
|
| 1427 | 1428 |
return -1; |
| 1429 |
+ } |
|
| 1428 | 1430 |
|
| 1429 | 1431 |
p = buf; |
| 1430 | 1432 |
p_end = buf + buf_size; |
| 1431 | 1433 |
|
| 1432 |
- while (p < p_end && *p == 0x0f) {
|
|
| 1434 |
+ while (p_end - p >= 6 && *p == 0x0f) {
|
|
| 1433 | 1435 |
p += 1; |
| 1434 | 1436 |
segment_type = *p++; |
| 1435 | 1437 |
page_id = AV_RB16(p); |
| ... | ... |
@@ -1437,6 +1439,11 @@ static int dvbsub_decode(AVCodecContext *avctx, |
| 1437 | 1437 |
segment_length = AV_RB16(p); |
| 1438 | 1438 |
p += 2; |
| 1439 | 1439 |
|
| 1440 |
+ if (p_end - p < segment_length) {
|
|
| 1441 |
+ av_dlog(avctx, "incomplete or broken packet"); |
|
| 1442 |
+ return -1; |
|
| 1443 |
+ } |
|
| 1444 |
+ |
|
| 1440 | 1445 |
if (page_id == ctx->composition_id || page_id == ctx->ancillary_id || |
| 1441 | 1446 |
ctx->composition_id == -1 || ctx->ancillary_id == -1) {
|
| 1442 | 1447 |
switch (segment_type) {
|