[FFmpeg-cvslog] bmp: check available space when reading palette
Michael Niedermayer
git at videolan.org
Tue Feb 19 17:05:51 CET 2013
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Tue Feb 19 16:59:26 2013 +0100| [633f9974790e2c0cff6ffafddc1ce0224fb08329] | committer: Michael Niedermayer
bmp: check available space when reading palette
Fixes out of array read
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=633f9974790e2c0cff6ffafddc1ce0224fb08329
---
libavcodec/bmp.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavcodec/bmp.c b/libavcodec/bmp.c
index ea221bc..dddc818 100644
--- a/libavcodec/bmp.c
+++ b/libavcodec/bmp.c
@@ -261,6 +261,10 @@ static int bmp_decode_frame(AVCodecContext *avctx,
buf = buf0 + 14 + ihsize; //palette location
// OS/2 bitmap, 3 bytes per palette entry
if ((hsize-ihsize-14) < (colors << 2)) {
+ if ((hsize-ihsize-14) < colors * 3) {
+ av_log(avctx, AV_LOG_ERROR, "palette doesnt fit in packet\n");
+ return AVERROR_INVALIDDATA;
+ }
for (i = 0; i < colors; i++)
((uint32_t*)p->data[1])[i] = (0xFFU<<24) | bytestream_get_le24(&buf);
} else {
More information about the ffmpeg-cvslog
mailing list