vmncdec: Sanity-check rectangle sizes a bit more thorough

The x/y coordinates could already be bigger than the configured width/height, and adding the rectangle width/height could cause an overflow.
author: Sebastian Dröge <sebastian@centricular.com> 2016-12-06 07:58:25 +0200
committer: Sebastian Dröge <sebastian@centricular.com> 2016-12-06 07:59:51 +0200
commit: 807e23118b6b6d99e61b5e2055c4bc82a444b008 (patch)
tree: a1189a0ef426ed29f3400abc4e709155d6832584 /gst
parent: 1dbbd4c91e5313fad1ff9e8c7c77ec2287feb3d8 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/gst/vmnc/vmncdec.c b/gst/vmnc/vmncdec.c
index b3c977883..cbbaeb6b4 100644
--- a/gst/vmnc/vmncdec.c
+++ b/gst/vmnc/vmncdec.c
@@ -785,7 +785,8 @@ vmnc_handle_packet (GstVMncDec * dec, const guint8 * data, int len,
                 r.type);
             return ERROR_INVALID;
           }
-          if (r.x + r.width > dec->format.width ||
+          if (r.x > dec->format.width || r.y > dec->format.height ||
+              r.x + r.width > dec->format.width ||
               r.y + r.height > dec->format.height) {
             GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type);
             return ERROR_INVALID;
author	Sebastian Dröge <sebastian@centricular.com>	2016-12-06 07:58:25 +0200
committer	Sebastian Dröge <sebastian@centricular.com>	2016-12-06 07:59:51 +0200
commit	807e23118b6b6d99e61b5e2055c4bc82a444b008 (patch)
tree	a1189a0ef426ed29f3400abc4e709155d6832584 /gst
parent	1dbbd4c91e5313fad1ff9e8c7c77ec2287feb3d8 (diff)