ffmpeg | branch: release/0.10 | Michael Niedermayer <michae...@gmx.at> | Wed Jul 30 21:31:19 2014 -0400| [a465ed5707f5cbc9713d5e9629d424cd2d46e038] | committer: Diego Biurrun
pgssubdec: Check RLE size before copying Make sure the buffer size does not exceed the expected RLE size. Prevent an out of array bound write. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michae...@gmx.at> Bug-Id: CVE-2013-0852 Signed-off-by: Luca Barbato <lu_z...@gentoo.org> (cherry picked from commit 00915d3cd2ce61db3d6dc11f63566630a9aff4ec) Signed-off-by: Diego Biurrun <di...@biurrun.de> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a465ed5707f5cbc9713d5e9629d424cd2d46e038 --- libavcodec/pgssubdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index bcc47f3..ca6abcc 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -192,6 +192,13 @@ static int parse_picture_segment(AVCodecContext *avctx, /* Decode rle bitmap length, stored size includes width/height data */ rle_bitmap_len = bytestream_get_be24(&buf) - 2*2; + if (buf_size > rle_bitmap_len) { + av_log(avctx, AV_LOG_ERROR, + "Buffer dimension %d larger than the expected RLE data %d\n", + buf_size, rle_bitmap_len); + return AVERROR_INVALIDDATA; + } + /* Get bitmap dimensions from data */ width = bytestream_get_be16(&buf); height = bytestream_get_be16(&buf); _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
