[libav-devel] [PATCH] dvdsubdect: Validate the offsets

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Wed Nov 11 22:05:26 CET 2015


On 11.11.2015 20:11, Luca Barbato wrote:
> CC: libav-stable at libav.org
> ---
>  libavcodec/dvdsubdec.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
> index 15c49c4..0969c71 100644
> --- a/libavcodec/dvdsubdec.c
> +++ b/libavcodec/dvdsubdec.c
> @@ -178,13 +178,14 @@ static void guess_palette(DVDSubContext* ctx,
>  static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
>                                  const uint8_t *buf, int buf_size)
>  {
> -    int cmd_pos, pos, cmd, x1, y1, x2, y2, offset1, offset2, next_cmd_pos;
> +    int cmd_pos, pos, cmd, x1, y1, x2, y2, next_cmd_pos;
>      int big_offsets, offset_size, is_8bit = 0;
>      const uint8_t *yuv_palette = 0;
>      uint8_t colormap[4] = { 0 }, alpha[256] = { 0 };
>      int date;
>      int i;
>      int is_menu = 0;
> +    int64_t offset1, offset2;
> 
>      if (buf_size < 10)
>          return -1;
> @@ -302,6 +303,9 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
>              }
>          }
>      the_end:
> +        if (offset1 > buf_size || offset2 > buf_size)
> +            goto fail;
> +

This is largely redundant with the following check in decode_rle:
    if (start >= buf_size)
        return -1;

The only case missing in that check is a negative (int32_t)offset2.

Best regards,
Andreas


More information about the libav-devel mailing list