diff options
| author | Vincent Penquerc'h <vincent.penquerch@collabora.co.uk> | 2014-04-30 10:05:15 +0100 |
|---|---|---|
| committer | Vincent Penquerc'h <vincent.penquerch@collabora.co.uk> | 2014-04-30 18:16:11 +0100 |
| commit | d8fb89e4e69dc3f74314ca274a6818c1e3396f52 (patch) | |
| tree | e9128d4e5c1fa70fe9e2dfb0a1bec141f3b15b65 | |
| parent | 56cca649d4faa33f85c0b57c4ebfa936bf8ac8b7 (diff) | |
| download | gstreamer-plugins-bad-d8fb89e4e69dc3f74314ca274a6818c1e3396f52.tar.gz | |
kate: avoid read buffer overflow in crafted stream
Coverity 1208777
| -rw-r--r-- | ext/kate/gstkatespu.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/ext/kate/gstkatespu.c b/ext/kate/gstkatespu.c index e256f8632..1b7dbc79b 100644 --- a/ext/kate/gstkatespu.c +++ b/ext/kate/gstkatespu.c @@ -79,7 +79,7 @@ gst_kate_spu_decode_pixaddr (GstKateEnc * ke, const guint8 * ptr) /* heavily inspired from dvdspudec */ static guint16 -gst_kate_spu_decode_colcon (GstKateEnc * ke, const guint8 * ptr) +gst_kate_spu_decode_colcon (GstKateEnc * ke, const guint8 * ptr, guint16 sz) { guint16 nbytes = GST_KATE_UINT16_BE (ptr + 0); guint16 nbytes_left = nbytes; @@ -92,6 +92,12 @@ gst_kate_spu_decode_colcon (GstKateEnc * ke, const guint8 * ptr) nbytes); return 0; } + if (G_UNLIKELY (nbytes > sz)) { + GST_WARNING_OBJECT (ke, + "Number of bytes in color/contrast change command is %u, but the buffer " + "only contains %u byte(s)", nbytes, sz); + return 0; + } ptr += 2; nbytes_left -= 2; @@ -348,7 +354,7 @@ gst_kate_spu_decode_command_sequence (GstKateEnc * ke, GstBuffer * buf, case SPU_CMD_CHG_COLCON: /* 0x07 */ GST_DEBUG_OBJECT (ke, "[7] CHANGE COLOR/CONTRAST"); CHECK (2); - ADVANCE (gst_kate_spu_decode_colcon (ke, ptr)); + ADVANCE (gst_kate_spu_decode_colcon (ke, ptr, sz)); break; case SPU_CMD_END: /* 0xff */ GST_DEBUG_OBJECT (ke, "[0xff] END"); |