From d8fb89e4e69dc3f74314ca274a6818c1e3396f52 Mon Sep 17 00:00:00 2001 From: Vincent Penquerc'h Date: Wed, 30 Apr 2014 10:05:15 +0100 Subject: [PATCH] kate: avoid read buffer overflow in crafted stream Coverity 1208777 --- ext/kate/gstkatespu.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/ext/kate/gstkatespu.c b/ext/kate/gstkatespu.c index e256f86324..1b7dbc79bf 100644 --- a/ext/kate/gstkatespu.c +++ b/ext/kate/gstkatespu.c @@ -79,7 +79,7 @@ gst_kate_spu_decode_pixaddr (GstKateEnc * ke, const guint8 * ptr) /* heavily inspired from dvdspudec */ static guint16 -gst_kate_spu_decode_colcon (GstKateEnc * ke, const guint8 * ptr) +gst_kate_spu_decode_colcon (GstKateEnc * ke, const guint8 * ptr, guint16 sz) { guint16 nbytes = GST_KATE_UINT16_BE (ptr + 0); guint16 nbytes_left = nbytes; @@ -92,6 +92,12 @@ gst_kate_spu_decode_colcon (GstKateEnc * ke, const guint8 * ptr) nbytes); return 0; } + if (G_UNLIKELY (nbytes > sz)) { + GST_WARNING_OBJECT (ke, + "Number of bytes in color/contrast change command is %u, but the buffer " + "only contains %u byte(s)", nbytes, sz); + return 0; + } ptr += 2; nbytes_left -= 2; @@ -348,7 +354,7 @@ gst_kate_spu_decode_command_sequence (GstKateEnc * ke, GstBuffer * buf, case SPU_CMD_CHG_COLCON: /* 0x07 */ GST_DEBUG_OBJECT (ke, "[7] CHANGE COLOR/CONTRAST"); CHECK (2); - ADVANCE (gst_kate_spu_decode_colcon (ke, ptr)); + ADVANCE (gst_kate_spu_decode_colcon (ke, ptr, sz)); break; case SPU_CMD_END: /* 0xff */ GST_DEBUG_OBJECT (ke, "[0xff] END");