mirror of https://code.videolan.org/videolan/vlc
svcdsub: Fix potential buffer overrun
https://hackerone.com/reports/504722 Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>
This commit is contained in:
parent
de2d56055b
commit
3d2507c632
|
@ -366,17 +366,29 @@ static void ParseHeader( decoder_t *p_dec, block_t *p_block )
|
|||
{
|
||||
decoder_sys_t *p_sys = p_dec->p_sys;
|
||||
uint8_t *p = p_block->p_buffer;
|
||||
size_t i_buffer = p_block->i_buffer;
|
||||
uint8_t i_options, i_cmd;
|
||||
int i;
|
||||
|
||||
if (i_buffer < 4) return;
|
||||
|
||||
p_sys->i_spu_size = GETINT16(p);
|
||||
i_options = *p++;
|
||||
// Skip over unused value
|
||||
p++;
|
||||
|
||||
if( i_options & 0x08 ) { p_sys->i_duration = FROM_SCALE_NZ(GetDWBE(p)); p += 4; }
|
||||
i_buffer -= 4;
|
||||
|
||||
if( i_options & 0x08 ) {
|
||||
if (i_buffer < 4) return;
|
||||
p_sys->i_duration = FROM_SCALE_NZ(GetDWBE(p));
|
||||
p += 4;
|
||||
i_buffer -= 4;
|
||||
}
|
||||
else p_sys->i_duration = 0; /* Ephemer subtitle */
|
||||
|
||||
if (i_buffer < 25) return;
|
||||
|
||||
p_sys->i_x_start = GETINT16(p);
|
||||
p_sys->i_y_start = GETINT16(p);
|
||||
p_sys->i_width = GETINT16(p);
|
||||
|
@ -391,12 +403,21 @@ static void ParseHeader( decoder_t *p_dec, block_t *p_block )
|
|||
}
|
||||
|
||||
i_cmd = *p++;
|
||||
|
||||
i_buffer -= 25;
|
||||
|
||||
/* We do not really know this, FIXME */
|
||||
if( i_cmd ) { p += 4; }
|
||||
if( i_cmd ) {
|
||||
if (i_buffer < 4) return;
|
||||
p += 4;
|
||||
i_buffer -= 4;
|
||||
}
|
||||
|
||||
/* Actually, this is measured against a different origin, so we have to
|
||||
* adjust it */
|
||||
if (i_buffer < 2) return;
|
||||
p_sys->second_field_offset = GETINT16(p);
|
||||
i_buffer -= 2;
|
||||
p_sys->i_image_offset = p - p_block->p_buffer;
|
||||
p_sys->i_image_length = p_sys->i_spu_size - p_sys->i_image_offset;
|
||||
p_sys->metadata_length = p_sys->i_image_offset;
|
||||
|
|
Loading…
Reference in New Issue