dvbsubdec: check against buffer overreads

Signed-off-by: Janne Grunau <janne-ffmpeg@jannau.net> (cherry picked from commit 493aa30a)

dvbsubdec: check against buffer overreads
Signed-off-by: Janne Grunau <janne-ffmpeg@jannau.net> (cherry picked from commit 493aa30a)
1a089285 · Janne Grunau · Michael Niedermayer · 20708223 · 1a089285
Commit 1a089285 authored Feb 09, 2011 by Janne Grunau Committed by Michael Niedermayer Feb 11, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 2 deletions

dvbsubdec.c libavcodec/dvbsubdec.c +9 -2

No files found.
--- a/libavcodec/dvbsubdec.c
+++ b/libavcodec/dvbsubdec.c
@@ -1423,13 +1423,15 @@ static int dvbsub_decode(AVCodecContext *avctx,
 #endif
-    if (buf_size <= 2 || *buf != 0x0f)
+    if (buf_size <= 6 || *buf != 0x0f) {
+        av_dlog(avctx, "incomplete or broken packet");
        return -1;
+    }
    p = buf;
    p_end = buf + buf_size;
-    while (p < p_end && *p == 0x0f) {
+    while (p_end - p >= 6 && *p == 0x0f) {
        p += 1;
        segment_type = *p++;
        page_id = AV_RB16(p);
@@ -1437,6 +1439,11 @@ static int dvbsub_decode(AVCodecContext *avctx,
        segment_length = AV_RB16(p);
        p += 2;
+        if (p_end - p < segment_length) {
+            av_dlog(avctx, "incomplete or broken packet");
+            return -1;
+        }
        if (page_id == ctx->composition_id || page_id == ctx->ancillary_id ||
            ctx->composition_id == -1 || ctx->ancillary_id == -1) {
            switch (segment_type) {