Module: libav
Branch: release/0.5
Commit: 5629c3910188182a23ca0d46abd5a2350f502c58
Author: Alex Converse <alex.conve...@gmail.com>
Committer: Reinhard Tartler <siret...@tauware.de>
Date: Thu Jan 26 17:30:49 2012 +0100
kmvc: Check palsize.
Fixes: CVE-2011-3952
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Based on fix by Michael Niedermayer
(cherry picked from commit 386741f887714d3e46c9e8fe577e326a7964037b)
(cherry picked from commit 416849f2e06227b1b4a451c392f100db1d709a0c)
Signed-off-by: Reinhard Tartler <siret...@tauware.de>
(cherry picked from commit e7392dc349291eb94379d8cfb7ef73d32a768858)
Signed-off-by: Reinhard Tartler <siret...@tauware.de>
---
libavcodec/kmvc.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c
index 30939ab..69b5937 100644
--- a/libavcodec/kmvc.c
+++ b/libavcodec/kmvc.c
@@ -33,6 +33,7 @@
#define KMVC_KEYFRAME 0x80
#define KMVC_PALETTE 0x40
#define KMVC_METHOD 0x0F
+#define MAX_PALSIZE 256
/*
* Decoder context
@@ -43,7 +44,7 @@ typedef struct KmvcContext {
int setpal;
int palsize;
- uint32_t pal[256];
+ uint32_t pal[MAX_PALSIZE];
uint8_t *cur, *prev;
uint8_t *frm0, *frm1;
} KmvcContext;
@@ -366,6 +367,10 @@ static av_cold int decode_init(AVCodecContext * avctx)
c->palsize = 127;
} else {
c->palsize = AV_RL16(avctx->extradata + 10);
+ if (c->palsize >= MAX_PALSIZE) {
+ av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n");
+ return AVERROR_INVALIDDATA;
+ }
}
if (avctx->extradata_size == 1036) { // palette in extradata
_______________________________________________
libav-commits mailing list
libav-commits@libav.org
https://lists.libav.org/mailman/listinfo/libav-commits
