Merge commit 'd98e6c5d5d80c1dfe0c30f2e73d41a3aea0b920d'

* commit 'd98e6c5d5d80c1dfe0c30f2e73d41a3aea0b920d':
  pgssubdec: Check RLE size before copying

See: c0d68be555f5858703383040e04fcd6529777061
Merged-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 7 insertions, 5 deletions

diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
index c6331692a0..36f1f8265a 100644
--- a/libavcodec/pgssubdec.c
+++ b/libavcodec/pgssubdec.c
@@ -278,6 +278,13 @@ static int parse_object_segment(AVCodecContext *avctx,
     /* Decode rle bitmap length, stored size includes width/height data */
     rle_bitmap_len = bytestream_get_be24(&buf) - 2*2;
 
+    if (buf_size > rle_bitmap_len) {
+        av_log(avctx, AV_LOG_ERROR,
+               "Buffer dimension %d larger than the expected RLE data %d\n",
+               buf_size, rle_bitmap_len);
+        return AVERROR_INVALIDDATA;
+    }
+
     /* Get bitmap dimensions from data */
     width  = bytestream_get_be16(&buf);
     height = bytestream_get_be16(&buf);
@@ -288,11 +295,6 @@ static int parse_object_segment(AVCodecContext *avctx,
         return AVERROR_INVALIDDATA;
     }
 
-    if (buf_size > rle_bitmap_len) {
-        av_log(avctx, AV_LOG_ERROR, "too much RLE data\n");
-        return AVERROR_INVALIDDATA;
-    }
-
     object->w = width;
     object->h = height;