Might fix overread, no testcase known though.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
... | ... |
@@ -380,6 +380,7 @@ static int parse_presentation_segment(AVCodecContext *avctx, |
380 | 380 |
{ |
381 | 381 |
PGSSubContext *ctx = avctx->priv_data; |
382 | 382 |
int i, state, ret; |
383 |
+ const uint8_t *buf_end = buf + buf_size; |
|
383 | 384 |
|
384 | 385 |
// Video descriptor |
385 | 386 |
int w = bytestream_get_be16(&buf); |
... | ... |
@@ -433,6 +434,13 @@ static int parse_presentation_segment(AVCodecContext *avctx, |
433 | 433 |
|
434 | 434 |
for (i = 0; i < ctx->presentation.object_count; i++) |
435 | 435 |
{ |
436 |
+ |
|
437 |
+ if (buf_end - buf < 8) { |
|
438 |
+ av_log(avctx, AV_LOG_ERROR, "Insufficent space for object\n"); |
|
439 |
+ ctx->presentation.object_count = i; |
|
440 |
+ return AVERROR_INVALIDDATA; |
|
441 |
+ } |
|
442 |
+ |
|
436 | 443 |
ctx->presentation.objects[i].id = bytestream_get_be16(&buf); |
437 | 444 |
ctx->presentation.objects[i].window_id = bytestream_get_byte(&buf); |
438 | 445 |
ctx->presentation.objects[i].composition_flag = bytestream_get_byte(&buf); |