dvdsubdec: Validate the RLE offsets

CC: libav-stable@libav.org
author: Luca Barbato <lu_zero@gentoo.org> 2015-11-11 20:08:29 +0100
committer: Luca Barbato <lu_zero@gentoo.org> 2015-11-17 18:56:29 +0100
commit: 5c30ae1a09b66179e16694f6137658023ed1fef3 (patch)
tree: a853823e9dd74b80378f9b54bdc85d207a81b4b4 /libavcodec/dvdsubdec.c
parent: eda183287489b2c705843aa373a19c4e46fb2fec (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index 15c49c40b6..da1a83f812 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -178,13 +178,14 @@ static void guess_palette(DVDSubContext* ctx,
 static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
                                 const uint8_t *buf, int buf_size)
 {
-    int cmd_pos, pos, cmd, x1, y1, x2, y2, offset1, offset2, next_cmd_pos;
+    int cmd_pos, pos, cmd, x1, y1, x2, y2, next_cmd_pos;
     int big_offsets, offset_size, is_8bit = 0;
     const uint8_t *yuv_palette = 0;
     uint8_t colormap[4] = { 0 }, alpha[256] = { 0 };
     int date;
     int i;
     int is_menu = 0;
+    int64_t offset1, offset2;
 
     if (buf_size < 10)
         return -1;
@@ -302,6 +303,9 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
             }
         }
     the_end:
+        if (offset1 >= buf_size || offset2 >= buf_size)
+            goto fail;
+
         if (offset1 >= 0) {
             int w, h;
             uint8_t *bitmap;
author	Luca Barbato <lu_zero@gentoo.org>	2015-11-11 20:08:29 +0100
committer	Luca Barbato <lu_zero@gentoo.org>	2015-11-17 18:56:29 +0100
commit	5c30ae1a09b66179e16694f6137658023ed1fef3 (patch)
tree	a853823e9dd74b80378f9b54bdc85d207a81b4b4 /libavcodec/dvdsubdec.c
parent	eda183287489b2c705843aa373a19c4e46fb2fec (diff)