Browse code
avcodec/pgssubdec: Check input buffer size in parse_presentation_segment()
Might fix overread, no testcase known though.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2014/07/01 01:23:08Showing 1 changed files
| ... | ... |
@@ -380,6 +380,7 @@ static int parse_presentation_segment(AVCodecContext *avctx, |
| 380 | 380 |
{
|
| 381 | 381 |
PGSSubContext *ctx = avctx->priv_data; |
| 382 | 382 |
int i, state, ret; |
| 383 |
+ const uint8_t *buf_end = buf + buf_size; |
|
| 383 | 384 |
|
| 384 | 385 |
// Video descriptor |
| 385 | 386 |
int w = bytestream_get_be16(&buf); |
| ... | ... |
@@ -433,6 +434,13 @@ static int parse_presentation_segment(AVCodecContext *avctx, |
| 433 | 433 |
|
| 434 | 434 |
for (i = 0; i < ctx->presentation.object_count; i++) |
| 435 | 435 |
{
|
| 436 |
+ |
|
| 437 |
+ if (buf_end - buf < 8) {
|
|
| 438 |
+ av_log(avctx, AV_LOG_ERROR, "Insufficent space for object\n"); |
|
| 439 |
+ ctx->presentation.object_count = i; |
|
| 440 |
+ return AVERROR_INVALIDDATA; |
|
| 441 |
+ } |
|
| 442 |
+ |
|
| 436 | 443 |
ctx->presentation.objects[i].id = bytestream_get_be16(&buf); |
| 437 | 444 |
ctx->presentation.objects[i].window_id = bytestream_get_byte(&buf); |
| 438 | 445 |
ctx->presentation.objects[i].composition_flag = bytestream_get_byte(&buf); |