[FFmpeg-devel] [PATCH] Decode PGS subtitle multipacket RLE data

Reimar Döffinger Reimar.Doeffinger
Wed Nov 17 23:02:19 CET 2010


On Thu, Nov 11, 2010 at 08:26:25PM +0100, Reimar D?ffinger wrote:
> On Thu, Nov 11, 2010 at 10:01:08AM -0800, Mark Goodman wrote:
> > On Sat, Nov 6, 2010 at 3:53 PM, Mark Goodman <mark.goodman at gmail.com> wrote:
> > > On Sat, Nov 6, 2010 at 3:26 PM, Reimar D?ffinger
> > > <Reimar.Doeffinger at gmx.de> wrote:
> > >> On Sat, Nov 06, 2010 at 03:10:55PM -0700, Mark Goodman wrote:
> > >>> On Sat, Nov 6, 2010 at 2:55 PM, Reimar D?ffinger
> > >>> <Reimar.Doeffinger at gmx.de> wrote:
> > >>> > On Sat, Nov 06, 2010 at 02:32:33PM -0700, Mark Goodman wrote:
> > >>> >> The width and height bytes are included in the encoded length so
> > >>> >> subtract four bytes from the encoded length.
> > >>> >
> > >>> > There is not enough validation.
> > >>> > The decoder is already really crappy in that regard, but the code
> > >>> > really needs to check that it has all necessary data upon display
> > >>> > (or whenever else it uses it) and at the very least print an error
> > >>> > message if not.
> > >>>
> > >>> Here's a second patch with some validation.
> > >>
> > >> I suspect this
> > >>> if (ctx->picture.rle_actual_len + buf_size > ctx->picture.rle_expected_len)
> > >> should be
> > >>> if (buf_size > ctx->picture.rle_expected_len ||
> > >>> ? ? ctx->picture.rle_actual_len + buf_size > ctx->picture.rle_expected_len)
> > >> or something like that to make 100% sure no integer overflow can happen.
> > >
> > > Yes. A third patch is attached.
> > 
> > Ping. Are there any other concerns with this patch?
> 
> No it looks ok to me. I don't know if I will have time to test
> and apply to today, but if someone else wants or I'll do it hopefully
> tomorrow at the latest.

I actually forgot about it and now it is too late in the night again.
Feel free to ping me via private mail if it's still not applied before the
weekend at the latest.



More information about the ffmpeg-devel mailing list