[FFmpeg-cvslog] smacker: error out if palette copy-with-offset overruns palette size.
Ronald S. Bultje
git at videolan.org
Thu Mar 8 03:10:34 CET 2012
ffmpeg | branch: master | Ronald S. Bultje <rsbultje at gmail.com> | Tue Mar 6 17:24:20 2012 -0800| [a93b572ae4f517ce0c35cf085167c318e9215908] | committer: Ronald S. Bultje
smacker: error out if palette copy-with-offset overruns palette size.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a93b572ae4f517ce0c35cf085167c318e9215908
---
libavformat/smacker.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index adc67e7..0b790b8 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -265,8 +265,15 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
sz += (t & 0x7F) + 1;
pal += ((t & 0x7F) + 1) * 3;
} else if(t & 0x40){ /* copy with offset */
- off = avio_r8(s->pb) * 3;
+ off = avio_r8(s->pb);
j = (t & 0x3F) + 1;
+ if (off + j > 0xff) {
+ av_log(s, AV_LOG_ERROR,
+ "Invalid palette update, offset=%d length=%d extends beyond palette size\n",
+ off, j);
+ return AVERROR_INVALIDDATA;
+ }
+ off *= 3;
while(j-- && sz < 256) {
*pal++ = oldpal[off + 0];
*pal++ = oldpal[off + 1];
More information about the ffmpeg-cvslog
mailing list