[libbluray-devel] commit: pg_decode_object(): check buffer size before decoding the object ( hpi1 )

[git at videolan.org]

libbluray | branch: master | hpi1 <hpi1 at anonymous.org> | Tue Aug 17 02:53:11 2010 +0300| [178aa69fb832fc7a3e7878c47f0f13e94bb9534a] | committer: hpi1 

pg_decode_object(): check buffer size before decoding the object

> http://git.videolan.org/gitweb.cgi/libbluray.git/?a=commit;h=178aa69fb832fc7a3e7878c47f0f13e94bb9534a
---

 src/libbluray/decoders/pg_decode.c |   13 ++++++++++++-
 1 files changed, 12 insertions(+), 1 deletions(-)

diff --git a/src/libbluray/decoders/pg_decode.c b/src/libbluray/decoders/pg_decode.c
index 6ae53a9..4a14e39 100644
--- a/src/libbluray/decoders/pg_decode.c
+++ b/src/libbluray/decoders/pg_decode.c
@@ -181,7 +181,18 @@ int pg_decode_object(BITBUFFER *bb, BD_PG_OBJECT *p)
         return 0;
     }
 
-    /*uint32_t data_len =*/ bb_read(bb, 24);
+    if (!bb_is_align(bb, 0x07)) {
+      ERROR("pg_decode_object(): alignment error\n");
+      return 0;
+    }
+
+    uint32_t data_len = bb_read(bb, 24);
+    uint32_t buf_len  = bb->p_end - bb->p;
+    if (data_len != buf_len) {
+        ERROR("pg_decode_object(): buffer size mismatch (expected %d, have %d)\n", data_len, buf_len);
+        return 0;
+    }
+
     p->width  = bb_read(bb, 16);
     p->height = bb_read(bb, 16);