[FFmpeg-devel] [PATCH] movtextdec.c: Add support for font names

Niklesh Lalwani lalwani1994 at gmail.com
Wed Aug 5 20:42:07 CEST 2015


> I didn't mean this - it's ok for the value to be 0, but it's
> not ok for it to be some huge number that will cause you to
> read beyond the end of the buffer. So like you did for the other
> variable length fields, you need to sanity check this against the total
> packet size.
>
> > +    t3xg_ptr += 2;
> > +    for (i = 0; i < m->ftab_entries; i++) {
> > +        m->ftab_temp = av_malloc(sizeof(*m->ftab_temp));
> > +        if (!m->ftab_temp) {
> > +            mov_text_cleanup_ftab(m);
> > +            return AVERROR(ENOMEM);
> > +        }
> > +        m->ftab_temp->fontID = AV_RB16(t3xg_ptr);
> > +        t3xg_ptr += 2;
> > +        m->ftab_temp->font_name_length = *t3xg_ptr++;
> > +        if (!m->ftab_temp->font_name_length) {
> > +            m->ftab_entries = 0;
> > +            return -1;
> > +        }
>
> Similarly here. The fontname length could be too long. We know it is
> not allowed to be more than 20, but you also need to verify against
> total packet size.
>
>
Yes, my bad. Updated the patch.

Thanks,
Niklesh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-movtextdec.c-Add-support-for-font-names.patch
Type: text/x-patch
Size: 6172 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150806/be06a66e/attachment.bin>


More information about the ffmpeg-devel mailing list