On 01/27/2012 07:55 PM, Alex Converse wrote:
> Fixes: CVE-2011-3952
>
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> Based on fix by Michael Niedermayer
> ---
> libavcodec/kmvc.c | 7 ++++++-
> 1 files changed, 6 insertions(+), 1 deletions(-)
>
> diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c
> index 2b54b84..14438fa 100644
> --- a/libavcodec/kmvc.c
> +++ b/libavcodec/kmvc.c
> @@ -33,6 +33,7 @@
> #define KMVC_KEYFRAME 0x80
> #define KMVC_PALETTE 0x40
> #define KMVC_METHOD 0x0F
> +#define MAX_PALSIZE 256
>
> /*
> * Decoder context
> @@ -43,7 +44,7 @@ typedef struct KmvcContext {
>
> int setpal;
> int palsize;
> - uint32_t pal[256];
> + uint32_t pal[MAX_PALSIZE];
> uint8_t *cur, *prev;
> uint8_t *frm0, *frm1;
> GetByteContext g;
> @@ -380,6 +381,10 @@ static av_cold int decode_init(AVCodecContext * avctx)
> c->palsize = 127;
> } else {
> c->palsize = AV_RL16(avctx->extradata + 10);
> + if (c->palsize >= MAX_PALSIZE) {
> + av_log(NULL, AV_LOG_ERROR, "KMVC palette too large\n");
> + return AVERROR_INVALIDDATA;
> + }
> }
>
> if (avctx->extradata_size == 1036) { // palette in extradata
ok.
-Justin
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
