[libav-devel] [PATCH] vqa: check palette chunk size before reading data.

Ronald S. Bultje Wed, 21 Mar 2012 15:20:06 -0700

From: "Ronald S. Bultje" <rsbul...@gmail.com>

Prevents overreads beyond buffer boundaries.


Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-sta...@libav.org
---
 libavcodec/vqavideo.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index 2bb9e2f..54699a0 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -396,7 +396,7 @@ static int vqa_decode_chunk(VqaContext *s)
         bytestream2_seek(&s->gb, cpl0_chunk, SEEK_SET);
         chunk_size = bytestream2_get_be32(&s->gb);
         /* sanity check the palette size */
-        if (chunk_size / 3 > 256) {
+        if (chunk_size / 3 > 256 || chunk_size > 
bytestream2_get_bytes_left(&s->gb)) {
             av_log(s->avctx, AV_LOG_ERROR, "  VQA video: problem: found a 
palette chunk with %d colors\n",
                 chunk_size / 3);
             return AVERROR_INVALIDDATA;
-- 
1.7.9.2

_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH] vqa: check palette chunk size before reading data.

Reply via email to