[FFmpeg-devel] [PATCH] Decode PGS subtitle multipacket RLE data

Mark Goodman mark.goodman
Sat Nov 6 23:53:28 CET 2010


On Sat, Nov 6, 2010 at 3:26 PM, Reimar D?ffinger
<Reimar.Doeffinger at gmx.de> wrote:
> On Sat, Nov 06, 2010 at 03:10:55PM -0700, Mark Goodman wrote:
>> On Sat, Nov 6, 2010 at 2:55 PM, Reimar D?ffinger
>> <Reimar.Doeffinger at gmx.de> wrote:
>> > On Sat, Nov 06, 2010 at 02:32:33PM -0700, Mark Goodman wrote:
>> >> The width and height bytes are included in the encoded length so
>> >> subtract four bytes from the encoded length.
>> >
>> > There is not enough validation.
>> > The decoder is already really crappy in that regard, but the code
>> > really needs to check that it has all necessary data upon display
>> > (or whenever else it uses it) and at the very least print an error
>> > message if not.
>>
>> Here's a second patch with some validation.
>
> I suspect this
>> if (ctx->picture.rle_actual_len + buf_size > ctx->picture.rle_expected_len)
> should be
>> if (buf_size > ctx->picture.rle_expected_len ||
>> ? ? ctx->picture.rle_actual_len + buf_size > ctx->picture.rle_expected_len)
> or something like that to make 100% sure no integer overflow can happen.

Yes. A third patch is attached.

> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at mplayerhq.hu
> https://lists.mplayerhq.hu/mailman/listinfo/ffmpeg-devel
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgssubdec_rle_multipacket_3.patch
Type: application/octet-stream
Size: 2678 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20101106/09e12e08/attachment.obj>



More information about the ffmpeg-devel mailing list