[FFmpeg-devel] [PATCH] dvbsubdec: check against buffer overreads

Janne Grunau janne-ffmpeg
Thu Feb 10 01:24:03 CET 2011


On Thu, Feb 10, 2011 at 12:19:09AM +0000, M?ns Rullg?rd wrote:
> Janne Grunau <janne-ffmpeg at jannau.net> writes:
> 
> > Signed-off-by: Janne Grunau <janne-ffmpeg at jannau.net>
> > ---
> >  libavcodec/dvbsubdec.c |   11 +++++++++--
> >  1 files changed, 9 insertions(+), 2 deletions(-)
> >
> > diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c
> > index 401144f..09b629e 100644
> > --- a/libavcodec/dvbsubdec.c
> > +++ b/libavcodec/dvbsubdec.c
> > @@ -1423,13 +1423,15 @@ static int dvbsub_decode(AVCodecContext *avctx,
> >
> >  #endif
> >
> > -    if (buf_size <= 2 || *buf != 0x0f)
> > +    if (buf_size <= 6 || *buf != 0x0f) {
> > +        av_dlog(avctx, "incomplete or broken packet");
> >          return -1;
> > +    }
> >
> >      p = buf;
> >      p_end = buf + buf_size;
> >
> > -    while (p < p_end && *p == 0x0f) {
> > +    while (p - p_end < 6 && *p == 0x0f) {
> 
> That looks backwards.  Shouldn't it be p_end - p > 6?

obviously, too late. I'll update the patch tomorrow

Janne



More information about the ffmpeg-devel mailing list