[FFmpeg-devel] [PATCH] Decode PGS subtitle multipacket RLE data
Mark Goodman
mark.goodman
Thu Nov 11 19:01:08 CET 2010
On Sat, Nov 6, 2010 at 3:53 PM, Mark Goodman <mark.goodman at gmail.com> wrote:
> On Sat, Nov 6, 2010 at 3:26 PM, Reimar D?ffinger
> <Reimar.Doeffinger at gmx.de> wrote:
>> On Sat, Nov 06, 2010 at 03:10:55PM -0700, Mark Goodman wrote:
>>> On Sat, Nov 6, 2010 at 2:55 PM, Reimar D?ffinger
>>> <Reimar.Doeffinger at gmx.de> wrote:
>>> > On Sat, Nov 06, 2010 at 02:32:33PM -0700, Mark Goodman wrote:
>>> >> The width and height bytes are included in the encoded length so
>>> >> subtract four bytes from the encoded length.
>>> >
>>> > There is not enough validation.
>>> > The decoder is already really crappy in that regard, but the code
>>> > really needs to check that it has all necessary data upon display
>>> > (or whenever else it uses it) and at the very least print an error
>>> > message if not.
>>>
>>> Here's a second patch with some validation.
>>
>> I suspect this
>>> if (ctx->picture.rle_actual_len + buf_size > ctx->picture.rle_expected_len)
>> should be
>>> if (buf_size > ctx->picture.rle_expected_len ||
>>> ? ? ctx->picture.rle_actual_len + buf_size > ctx->picture.rle_expected_len)
>> or something like that to make 100% sure no integer overflow can happen.
>
> Yes. A third patch is attached.
Ping. Are there any other concerns with this patch?
>
>> _______________________________________________
>> ffmpeg-devel mailing list
>> ffmpeg-devel at mplayerhq.hu
>> https://lists.mplayerhq.hu/mailman/listinfo/ffmpeg-devel
>>
>
More information about the ffmpeg-devel
mailing list