[FFmpeg-devel] [PATCH] Decode PGS subtitle multipacket RLE data
Reimar Döffinger
Reimar.Doeffinger
Thu Nov 11 20:26:25 CET 2010
On Thu, Nov 11, 2010 at 10:01:08AM -0800, Mark Goodman wrote:
> On Sat, Nov 6, 2010 at 3:53 PM, Mark Goodman <mark.goodman at gmail.com> wrote:
> > On Sat, Nov 6, 2010 at 3:26 PM, Reimar D?ffinger
> > <Reimar.Doeffinger at gmx.de> wrote:
> >> On Sat, Nov 06, 2010 at 03:10:55PM -0700, Mark Goodman wrote:
> >>> On Sat, Nov 6, 2010 at 2:55 PM, Reimar D?ffinger
> >>> <Reimar.Doeffinger at gmx.de> wrote:
> >>> > On Sat, Nov 06, 2010 at 02:32:33PM -0700, Mark Goodman wrote:
> >>> >> The width and height bytes are included in the encoded length so
> >>> >> subtract four bytes from the encoded length.
> >>> >
> >>> > There is not enough validation.
> >>> > The decoder is already really crappy in that regard, but the code
> >>> > really needs to check that it has all necessary data upon display
> >>> > (or whenever else it uses it) and at the very least print an error
> >>> > message if not.
> >>>
> >>> Here's a second patch with some validation.
> >>
> >> I suspect this
> >>> if (ctx->picture.rle_actual_len + buf_size > ctx->picture.rle_expected_len)
> >> should be
> >>> if (buf_size > ctx->picture.rle_expected_len ||
> >>> ? ? ctx->picture.rle_actual_len + buf_size > ctx->picture.rle_expected_len)
> >> or something like that to make 100% sure no integer overflow can happen.
> >
> > Yes. A third patch is attached.
>
> Ping. Are there any other concerns with this patch?
No it looks ok to me. I don't know if I will have time to test
and apply to today, but if someone else wants or I'll do it hopefully
tomorrow at the latest.
More information about the ffmpeg-devel
mailing list