Commit c9151de7 authored by wm4's avatar wm4 Committed by Michael Niedermayer

avcodec/dvdsubdec: fix out of bounds accesses

The code blindly trusted buffer offsets read from the file in the RLE
decoder. Explicitly check the offset. Also error out on other RLE
decoding errors.
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent beedeb43
...@@ -108,6 +108,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, ...@@ -108,6 +108,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h,
int x, y, len, color; int x, y, len, color;
uint8_t *d; uint8_t *d;
if (start >= buf_size)
return -1;
bit_len = (buf_size - start) * 8; bit_len = (buf_size - start) * 8;
init_get_bits(&gb, buf + start, bit_len); init_get_bits(&gb, buf + start, bit_len);
...@@ -359,10 +362,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, ...@@ -359,10 +362,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect)); sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect));
sub_header->num_rects = 1; sub_header->num_rects = 1;
sub_header->rects[0]->pict.data[0] = bitmap; sub_header->rects[0]->pict.data[0] = bitmap;
decode_rle(bitmap, w * 2, w, (h + 1) / 2, if (decode_rle(bitmap, w * 2, w, (h + 1) / 2,
buf, offset1, buf_size, is_8bit); buf, offset1, buf_size, is_8bit) < 0)
decode_rle(bitmap + w, w * 2, w, h / 2, goto fail;
buf, offset2, buf_size, is_8bit); if (decode_rle(bitmap + w, w * 2, w, h / 2,
buf, offset2, buf_size, is_8bit) < 0)
goto fail;
sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE); sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE);
if (is_8bit) { if (is_8bit) {
if (!yuv_palette) if (!yuv_palette)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment