diff options
author | wm4 <wm4@nowhere> | 2015-09-20 20:31:26 +0200 |
---|---|---|
committer | wm4 <wm4@nowhere> | 2015-09-20 20:31:26 +0200 |
commit | 0347901140f5a0ca5566b03d49895134549b9019 (patch) | |
tree | ae940ec65f4ef5be52b21779497b16f56a4af8ee | |
parent | 7dc433e5a65a11ea6b1b216c217a24cbc7c97050 (diff) | |
download | libass-0347901140f5a0ca5566b03d49895134549b9019.tar.bz2 libass-0347901140f5a0ca5566b03d49895134549b9019.tar.xz |
protect against overreads
-rw-r--r-- | libass/ass_utils.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/libass/ass_utils.c b/libass/ass_utils.c index 91b1873..44f76cf 100644 --- a/libass/ass_utils.c +++ b/libass/ass_utils.c @@ -423,12 +423,16 @@ unsigned ass_utf8_put_char(char *dest, uint32_t ch) * (will be set to the start of the next code point) * \return the code point */ -static uint32_t ass_read_utf16be(uint8_t **src) +static uint32_t ass_read_utf16be(uint8_t **src, size_t bytes) { + if (bytes < 2) + return 0; + uint32_t cp = ((*src)[0] << 8) | (*src)[1]; *src += 2; + bytes -= 2; - if (cp >= 0xD800 && cp <= 0xDBFF) { + if (cp >= 0xD800 && cp <= 0xDBFF && bytes >= 2) { uint32_t cp2 = ((*src)[0] << 8) | (*src)[1]; *src += 2; @@ -447,7 +451,7 @@ void ass_utf16be_to_utf8(char *dst, size_t dst_size, uint8_t *src, size_t src_si dst[0] = '\0'; while (src < end) { - uint32_t cp = ass_read_utf16be(&src); + uint32_t cp = ass_read_utf16be(&src, end - src); if (dst_size < 5) break; unsigned s = ass_utf8_put_char(dst, cp); |