dvdsubdec: Validate the RLE offsets

CC: libav-stable@libav.org

dvdsubdec: Validate the RLE offsets
CC: libav-stable@libav.org
5c30ae1a · Luca Barbato · eda18328 · 5c30ae1a
Commit 5c30ae1a authored Nov 11, 2015 by Luca Barbato
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

dvdsubdec.c libavcodec/dvdsubdec.c +5 -1

No files found.
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -178,13 +178,14 @@ static void guess_palette(DVDSubContext* ctx,
 static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
                                const uint8_t *buf, int buf_size)
 {
-    int cmd_pos, pos, cmd, x1, y1, x2, y2, offset1, offset2, next_cmd_pos;
+    int cmd_pos, pos, cmd, x1, y1, x2, y2, next_cmd_pos;
    int big_offsets, offset_size, is_8bit = 0;
    const uint8_t *yuv_palette = 0;
    uint8_t colormap[4] = { 0 }, alpha[256] = { 0 };
    int date;
    int i;
    int is_menu = 0;
+    int64_t offset1, offset2;

    if (buf_size < 10)
        return -1;
@@ -302,6 +303,9 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
            }
        }
    the_end:
+        if (offset1 >= buf_size || offset2 >= buf_size)
+            goto fail;
+
        if (offset1 >= 0) {
            int w, h;
            uint8_t *bitmap;