Module: libav Branch: release/0.8 Commit: c21b858b278df60c849d86701019e7d096b0c1f4
Author: Ronald S. Bultje <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Wed Mar 21 15:19:31 2012 -0700 vqa: check palette chunk size before reading data. Prevents overreads beyond buffer boundaries. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: [email protected] (cherry picked from commit 75d7975268394f4f16294b68ec6d6d5ac30da3ac) Signed-off-by: Reinhard Tartler <[email protected]> --- libavcodec/vqavideo.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 9801167..bc1ff27 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -385,7 +385,7 @@ static int vqa_decode_chunk(VqaContext *s) bytestream2_seek(&s->gb, cpl0_chunk, SEEK_SET); chunk_size = bytestream2_get_be32(&s->gb); /* sanity check the palette size */ - if (chunk_size / 3 > 256) { + if (chunk_size / 3 > 256 || chunk_size > bytestream2_get_bytes_left(&s->gb)) { av_log(s->avctx, AV_LOG_ERROR, " VQA video: problem: found a palette chunk with %d colors\n", chunk_size / 3); return AVERROR_INVALIDDATA; _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
