Changes between Initial Version and Version 3 of Ticket #554


Ignore:
Timestamp:
Oct 14, 2011, 2:25:21 PM (9 years ago)
Author:
cehoyos
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #554 – Description

    initial v3  
    22
    33The function dvbsub_parse_pixel_data_block() in libavcodec/dvbsubdec.c is prone to overflowing the region->pbuf buffer. That buffer is region->width*region->height bytes in length, but the check for overflow is done like this:
    4 
     4{{{
    55if (x_pos > region->width || y_pos > region->height)
    6 
     6}}}
    77The comparisons should obviously use greater than equal instead of greater, since you never want to write at region->height * region->width + something. However, if I change them, the "invalid object location" message triggers all the time because y_pos is incremented a few lines above like this:
    8 
     8{{{
    99if ((y_pos & 1) != top_bottom)
    1010    y_pos++;
    11 
     11}}}
    1212I suppose this is trying to align the starting line to odd or even to account for interlacing. I'm not sure how this works for progressive streams since I don't know anything about how DVB subtitles are encoded, but with a progressive stream it always reaches this piece of code with y_pos = region->height - 1, so the increment makes y_pos invalid, causing a buffer overflow with the current code, or triggering the error message if the comparison is fixed.
    1313