[FFmpeg-cvslog] smacker: error out if palette copy-with-offset overruns palette size.

Ronald S. Bultje git at videolan.org
Mon Apr 2 01:45:28 CEST 2012


ffmpeg | branch: release/0.8 | Ronald S. Bultje <rsbultje at gmail.com> | Tue Mar  6 17:24:20 2012 -0800| [f2e412d050ae9a0dcdea515f1c02620c6dcf8c47] | committer: Reinhard Tartler

smacker: error out if palette copy-with-offset overruns palette size.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit a93b572ae4f517ce0c35cf085167c318e9215908)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f2e412d050ae9a0dcdea515f1c02620c6dcf8c47
---

 libavformat/smacker.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index a817c31..7ec8099 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -261,8 +261,15 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
                     sz += (t & 0x7F) + 1;
                     pal += ((t & 0x7F) + 1) * 3;
                 } else if(t & 0x40){ /* copy with offset */
-                    off = avio_r8(s->pb) * 3;
+                    off = avio_r8(s->pb);
                     j = (t & 0x3F) + 1;
+                    if (off + j > 0xff) {
+                        av_log(s, AV_LOG_ERROR,
+                               "Invalid palette update, offset=%d length=%d extends beyond palette size\n",
+                               off, j);
+                        return AVERROR_INVALIDDATA;
+                    }
+                    off *= 3;
                     while(j-- && sz < 256) {
                         *pal++ = oldpal[off + 0];
                         *pal++ = oldpal[off + 1];



More information about the ffmpeg-cvslog mailing list