kmvc: Check palsize.

Fixes: CVE-2011-3952

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Based on fix by Michael Niedermayer
(cherry picked from commit 386741f887)
(cherry picked from commit 416849f2e0)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Alex Converse 2012-01-26 17:30:49 +01:00 committed by Reinhard Tartler
parent d87997b56f
commit 75d8cccf0e
1 changed files with 6 additions and 1 deletions

View File

@ -33,6 +33,7 @@
#define KMVC_KEYFRAME 0x80
#define KMVC_PALETTE 0x40
#define KMVC_METHOD 0x0F
#define MAX_PALSIZE 256
/*
* Decoder context
@ -43,7 +44,7 @@ typedef struct KmvcContext {
int setpal;
int palsize;
uint32_t pal[256];
uint32_t pal[MAX_PALSIZE];
uint8_t *cur, *prev;
uint8_t *frm0, *frm1;
} KmvcContext;
@ -414,6 +415,10 @@ static av_cold int decode_init(AVCodecContext * avctx)
c->palsize = 127;
} else {
c->palsize = AV_RL16(avctx->extradata + 10);
if (c->palsize >= MAX_PALSIZE) {
av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n");
return AVERROR_INVALIDDATA;
}
}
if (avctx->extradata_size == 1036) { // palette in extradata