From 52b2e95cd9f829b83b879a0694173d4ef1558c46 Mon Sep 17 00:00:00 2001 From: Jindrich Makovicka Date: Sat, 5 Feb 2011 11:39:51 +0100 Subject: [PATCH] dvdsubdec.c: prevent input buffer overflow In some places, dvbsubdec passes improper input buffer size to bitstream reading functions, not accounting for reading pointer updates. Fixed by using buffer_end - buffer pointer instead of fixed buffer length. Signed-off-by: Jindrich Makovicka Signed-off-by: Michael Niedermayer --- libavcodec/dvbsubdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index fe9879822f..8cc8d4fc83 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -792,7 +792,7 @@ static void dvbsub_parse_pixel_data_block(AVCodecContext *avctx, DVBSubObjectDis map_table = NULL; x_pos += dvbsub_read_2bit_string(pbuf + (y_pos * region->width) + x_pos, - region->width - x_pos, &buf, buf_size, + region->width - x_pos, &buf, buf_end - buf, non_mod, map_table); break; case 0x11: @@ -807,7 +807,7 @@ static void dvbsub_parse_pixel_data_block(AVCodecContext *avctx, DVBSubObjectDis map_table = NULL; x_pos += dvbsub_read_4bit_string(pbuf + (y_pos * region->width) + x_pos, - region->width - x_pos, &buf, buf_size, + region->width - x_pos, &buf, buf_end - buf, non_mod, map_table); break; case 0x12: @@ -817,7 +817,7 @@ static void dvbsub_parse_pixel_data_block(AVCodecContext *avctx, DVBSubObjectDis } x_pos += dvbsub_read_8bit_string(pbuf + (y_pos * region->width) + x_pos, - region->width - x_pos, &buf, buf_size, + region->width - x_pos, &buf, buf_end - buf, non_mod, NULL); break;