diff mbox series

[FFmpeg-devel,03/11] avcodec/movtextdec: Simplify checking for invalid extradata

Message ID 20201017182248.577108-3-andreas.rheinhardt@gmail.com
State Accepted
Commit a42695c07244991ceabf9996d086dda3fcc28fc1
Headers show
Series [FFmpeg-devel,01/11] avcodec/movtextdec: Reset counter of fonts when freeing them
Related show

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished

Commit Message

Andreas Rheinhardt Oct. 17, 2020, 6:22 p.m. UTC
Every font entry occupies at least three bytes, so checking early
whether there is that much data available is a low-effort way to exclude
invalid extradata. Doing so leads to an overall simplification.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavcodec/movtextdec.c | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)
diff mbox series

Patch

diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c
index ad60c77519..e46c932c20 100644
--- a/libavcodec/movtextdec.c
+++ b/libavcodec/movtextdec.c
@@ -145,14 +145,13 @@  static void mov_text_cleanup_ftab(MovTextContext *m)
 static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m)
 {
     uint8_t *tx3g_ptr = avctx->extradata;
-    int i, box_size, font_length;
+    int i, font_length, remaining = avctx->extradata_size - BOX_SIZE_INITIAL;
     int8_t v_align, h_align;
     unsigned ftab_entries;
     StyleBox s_default;
 
     m->ftab_entries = 0;
-    box_size = BOX_SIZE_INITIAL; /* Size till ftab_entries */
-    if (avctx->extradata_size < box_size)
+    if (remaining < 0)
         return -1;
 
     // Display Flags
@@ -220,6 +219,9 @@  static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m)
     ftab_entries = AV_RB16(tx3g_ptr);
     if (!ftab_entries)
         return 0;
+    remaining   -= 3 * ftab_entries;
+    if (remaining < 0)
+        return AVERROR_INVALIDDATA;
     m->ftab = av_calloc(ftab_entries, sizeof(*m->ftab));
     if (!m->ftab)
         return AVERROR(ENOMEM);
@@ -227,18 +229,12 @@  static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m)
     tx3g_ptr += 2;
 
     for (i = 0; i < m->ftab_entries; i++) {
-
-        box_size += 3;
-        if (avctx->extradata_size < box_size) {
-            mov_text_cleanup_ftab(m);
-            return -1;
-        }
         m->ftab[i].fontID = AV_RB16(tx3g_ptr);
         tx3g_ptr += 2;
         font_length = *tx3g_ptr++;
 
-        box_size = box_size + font_length;
-        if (avctx->extradata_size < box_size) {
+        remaining  -= font_length;
+        if (remaining < 0) {
             mov_text_cleanup_ftab(m);
             return -1;
         }