Module: libav Branch: release/0.7 Commit: f2e412d050ae9a0dcdea515f1c02620c6dcf8c47
Author: Ronald S. Bultje <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Tue Mar 6 17:24:20 2012 -0800 smacker: error out if palette copy-with-offset overruns palette size. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: [email protected] (cherry picked from commit a93b572ae4f517ce0c35cf085167c318e9215908) Signed-off-by: Reinhard Tartler <[email protected]> --- libavformat/smacker.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index a817c31..7ec8099 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -261,8 +261,15 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) sz += (t & 0x7F) + 1; pal += ((t & 0x7F) + 1) * 3; } else if(t & 0x40){ /* copy with offset */ - off = avio_r8(s->pb) * 3; + off = avio_r8(s->pb); j = (t & 0x3F) + 1; + if (off + j > 0xff) { + av_log(s, AV_LOG_ERROR, + "Invalid palette update, offset=%d length=%d extends beyond palette size\n", + off, j); + return AVERROR_INVALIDDATA; + } + off *= 3; while(j-- && sz < 256) { *pal++ = oldpal[off + 0]; *pal++ = oldpal[off + 1]; _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
