vmncdec: Sanity-check rectangle sizes a bit more thorough

The x/y coordinates could already be bigger than the configured width/height, and adding the rectangle width/height could cause an overflow.
2024-07-02 20:55:55 +00:00 · 2016-12-06 07:58:25 +02:00 · 2016-12-06 07:58:25 +02:00 · 807e23118b
parent 1dbbd4c91e
commit 807e23118b
1 changed files with 2 additions and 1 deletions
--- a/gst/vmnc/vmncdec.c
+++ b/gst/vmnc/vmncdec.c
@ -785,7 +785,8 @@ vmnc_handle_packet (GstVMncDec * dec, const guint8 * data, int len,
                r.type);
            return ERROR_INVALID;
          }
-          if (r.x + r.width > dec->format.width ||
+          if (r.x > dec->format.width || r.y > dec->format.height ||
+              r.x + r.width > dec->format.width ||
              r.y + r.height > dec->format.height) {
            GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type);
            return ERROR_INVALID;