avcodec/dvdsubdec: Fix buf_size check

michaelni · michaelni · commit 25ab1a65f3ac · 2016-10-26T18:46:10.000+02:00
Fixes out of array access

Found-by: Thomas Garnier using libFuzzer
Signed-off-by: Michael Niedermayer &lt;michael@niedermayer.cc&gt;
diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
@@ -548,7 +548,8 @@ static int append_to_cached_buf(AVCodecContext *avctx,
 {
     DVDSubContext *ctx = avctx->priv_data;
 
-    if (ctx->buf_size >= sizeof(ctx->buf) - buf_size) {
+    av_assert0(buf_size >= 0 && ctx->buf_size <= sizeof(ctx->buf));
+    if (buf_size >= sizeof(ctx->buf) - ctx->buf_size) {
         av_log(avctx, AV_LOG_WARNING, "Attempt to reconstruct "
                "too large SPU packets aborted.\n");
         ctx->buf_size = 0;

Original file line number	Diff line number	Diff line change
`@@ -548,7 +548,8 @@ static int append_to_cached_buf(AVCodecContext *avctx,`
`548`	`548`	`{`
`549`	`549`	`DVDSubContext *ctx = avctx->priv_data;`
`550`	`550`
`551`		`- if (ctx->buf_size >= sizeof(ctx->buf) - buf_size) {`
	`551`	`+ av_assert0(buf_size >= 0 && ctx->buf_size <= sizeof(ctx->buf));`
	`552`	`+ if (buf_size >= sizeof(ctx->buf) - ctx->buf_size) {`
`552`	`553`	`av_log(avctx, AV_LOG_WARNING, "Attempt to reconstruct "`
`553`	`554`	`"too large SPU packets aborted.\n");`
`554`	`555`	`ctx->buf_size = 0;`