pgssubdec: Check RLE size before copying

Make sure the buffer size does not exceed the expected RLE size. Prevent an out of array bound write. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Bug-Id: CVE-2013-0852 Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

pgssubdec: Check RLE size before copying
Make sure the buffer size does not exceed the expected RLE size. Prevent an out of array bound write. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Bug-Id: CVE-2013-0852 Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
d98e6c5d · Michael Niedermayer · Luca Barbato · a0ce85ac · d98e6c5d
Commit d98e6c5d authored Jul 31, 2014 by Michael Niedermayer Committed by Luca Barbato Aug 01, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

pgssubdec.c libavcodec/pgssubdec.c +7 -0

No files found.
--- a/libavcodec/pgssubdec.c
+++ b/libavcodec/pgssubdec.c
@@ -275,6 +275,13 @@ static int parse_object_segment(AVCodecContext *avctx,
    /* Decode rle bitmap length, stored size includes width/height data */
    rle_bitmap_len = bytestream_get_be24(&buf) - 2*2;

+    if (buf_size > rle_bitmap_len) {
+        av_log(avctx, AV_LOG_ERROR,
+               "Buffer dimension %d larger than the expected RLE data %d\n",
+               buf_size, rle_bitmap_len);
+        return AVERROR_INVALIDDATA;
+    }
+
    /* Get bitmap dimensions from data */
    width  = bytestream_get_be16(&buf);
    height = bytestream_get_be16(&buf);