From 807e23118b6b6d99e61b5e2055c4bc82a444b008 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 6 Dec 2016 07:58:25 +0200
Subject: vmncdec: Sanity-check rectangle sizes a bit more thorough

The x/y coordinates could already be bigger than the configured
width/height, and adding the rectangle width/height could cause an
overflow.
---
 gst/vmnc/vmncdec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'gst/vmnc')

diff --git a/gst/vmnc/vmncdec.c b/gst/vmnc/vmncdec.c
index b3c977883..cbbaeb6b4 100644
--- a/gst/vmnc/vmncdec.c
+++ b/gst/vmnc/vmncdec.c
@@ -785,7 +785,8 @@ vmnc_handle_packet (GstVMncDec * dec, const guint8 * data, int len,
                 r.type);
             return ERROR_INVALID;
           }
-          if (r.x + r.width > dec->format.width ||
+          if (r.x > dec->format.width || r.y > dec->format.height ||
+              r.x + r.width > dec->format.width ||
               r.y + r.height > dec->format.height) {
             GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type);
             return ERROR_INVALID;
-- 
cgit v1.2.1