dvdsubdec: Validate the RLE offsets

CC: libav-stable@libav.org
pull/134/merge
Luca Barbato 9 years ago
parent eda1832874
commit 5c30ae1a09
  1. 6
      libavcodec/dvdsubdec.c

@ -178,13 +178,14 @@ static void guess_palette(DVDSubContext* ctx,
static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
const uint8_t *buf, int buf_size) const uint8_t *buf, int buf_size)
{ {
int cmd_pos, pos, cmd, x1, y1, x2, y2, offset1, offset2, next_cmd_pos; int cmd_pos, pos, cmd, x1, y1, x2, y2, next_cmd_pos;
int big_offsets, offset_size, is_8bit = 0; int big_offsets, offset_size, is_8bit = 0;
const uint8_t *yuv_palette = 0; const uint8_t *yuv_palette = 0;
uint8_t colormap[4] = { 0 }, alpha[256] = { 0 }; uint8_t colormap[4] = { 0 }, alpha[256] = { 0 };
int date; int date;
int i; int i;
int is_menu = 0; int is_menu = 0;
int64_t offset1, offset2;
if (buf_size < 10) if (buf_size < 10)
return -1; return -1;
@ -302,6 +303,9 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
} }
} }
the_end: the_end:
if (offset1 >= buf_size || offset2 >= buf_size)
goto fail;
if (offset1 >= 0) { if (offset1 >= 0) {
int w, h; int w, h;
uint8_t *bitmap; uint8_t *bitmap;

Loading…
Cancel
Save