[FFmpeg-devel] [PATCH] Decode PGS subtitle multipacket RLE data

Reimar Döffinger Reimar.Doeffinger
Sat Nov 6 23:23:33 CET 2010

On Sat, Nov 06, 2010 at 03:10:55PM -0700, Mark Goodman wrote:
> On Sat, Nov 6, 2010 at 2:55 PM, Reimar D?ffinger
> <Reimar.Doeffinger at gmx.de> wrote:
> > On Sat, Nov 06, 2010 at 02:32:33PM -0700, Mark Goodman wrote:
> >> The width and height bytes are included in the encoded length so
> >> subtract four bytes from the encoded length.
> >
> > There is not enough validation.
> > The decoder is already really crappy in that regard, but the code
> > really needs to check that it has all necessary data upon display
> > (or whenever else it uses it) and at the very least print an error
> > message if not.
> Here's a second patch with some validation.

Ops, I realize that your patch does not add any additional need
for a check.
I'll have to have a look another time since I fear I'm not quite awake...
But if I understand right and the check is on the compressed size seem
pointless anyway, the decode_rle function lacks a check that the whole
image is filled.
Not to mention the code that has the comment
            * New Line. Check if correct pixels decoded, if not display warning
            * and adjust bitmap pointer to correct new line position.
But the code does not adjust the "bitmap pointer", nor does it ensure
the whole line is actually initialized.

More information about the ffmpeg-devel mailing list