mirror of https://git.ffmpeg.org/ffmpeg.git
kmvc: Check palsize.
Fixes: CVE-2011-3952 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Based on fix by Michael Niedermayer (cherry picked from commit386741f887) (cherry picked from commit416849f2e0) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Alex Converse
Reinhard Tartler
parent
d87997b56f
commit
75d8cccf0e
|
|
@ -33,6 +33,7 @@
|
||||||
#define KMVC_KEYFRAME 0x80
|
#define KMVC_KEYFRAME 0x80
|
||||||
#define KMVC_PALETTE 0x40
|
#define KMVC_PALETTE 0x40
|
||||||
#define KMVC_METHOD 0x0F
|
#define KMVC_METHOD 0x0F
|
||||||
|
#define MAX_PALSIZE 256
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Decoder context
|
* Decoder context
|
||||||
|
|
@ -43,7 +44,7 @@ typedef struct KmvcContext {
|
||||||
|
|
||||||
int setpal;
|
int setpal;
|
||||||
int palsize;
|
int palsize;
|
||||||
uint32_t pal[256];
|
uint32_t pal[MAX_PALSIZE];
|
||||||
uint8_t *cur, *prev;
|
uint8_t *cur, *prev;
|
||||||
uint8_t *frm0, *frm1;
|
uint8_t *frm0, *frm1;
|
||||||
} KmvcContext;
|
} KmvcContext;
|
||||||
|
|
@ -414,6 +415,10 @@ static av_cold int decode_init(AVCodecContext * avctx)
|
||||||
c->palsize = 127;
|
c->palsize = 127;
|
||||||
} else {
|
} else {
|
||||||
c->palsize = AV_RL16(avctx->extradata + 10);
|
c->palsize = AV_RL16(avctx->extradata + 10);
|
||||||
|
if (c->palsize >= MAX_PALSIZE) {
|
||||||
|
av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n");
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (avctx->extradata_size == 1036) { // palette in extradata
|
if (avctx->extradata_size == 1036) { // palette in extradata
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue