Skip to content

Commit

Permalink
avcodec/dvdsubdec: fix out of bounds accesses
Browse files Browse the repository at this point in the history
The code blindly trusted buffer offsets read from the file in the RLE
decoder. Explicitly check the offset. Also error out on other RLE
decoding errors.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
wm4 authored and michaelni committed Jan 5, 2015

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent beedeb4 commit c9151de
Showing 1 changed file with 9 additions and 4 deletions.
13 changes: 9 additions & 4 deletions libavcodec/dvdsubdec.c
Original file line number Diff line number Diff line change
@@ -108,6 +108,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h,
int x, y, len, color;
uint8_t *d;

if (start >= buf_size)
return -1;

bit_len = (buf_size - start) * 8;
init_get_bits(&gb, buf + start, bit_len);

@@ -359,10 +362,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect));
sub_header->num_rects = 1;
sub_header->rects[0]->pict.data[0] = bitmap;
decode_rle(bitmap, w * 2, w, (h + 1) / 2,
buf, offset1, buf_size, is_8bit);
decode_rle(bitmap + w, w * 2, w, h / 2,
buf, offset2, buf_size, is_8bit);
if (decode_rle(bitmap, w * 2, w, (h + 1) / 2,
buf, offset1, buf_size, is_8bit) < 0)
goto fail;
if (decode_rle(bitmap + w, w * 2, w, h / 2,
buf, offset2, buf_size, is_8bit) < 0)
goto fail;
sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE);
if (is_8bit) {
if (!yuv_palette)

0 comments on commit c9151de

Please sign in to comment.