On 01/27/2012 11:34 PM, Justin Ruggles wrote:
> On 01/27/2012 07:55 PM, Alex Converse wrote:
>
>> Fixes: CVE-2011-3952
>>
>> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
>> Based on fix by Michael Niedermayer
>> ---
>> libavcodec/kmvc.c | 7 ++++++-
>> 1 files changed, 6 insertions(+), 1 deletions(-)
>>
>> diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c
>> index 2b54b84..14438fa 100644
>> --- a/libavcodec/kmvc.c
>> +++ b/libavcodec/kmvc.c
>> @@ -33,6 +33,7 @@
>> #define KMVC_KEYFRAME 0x80
>> #define KMVC_PALETTE 0x40
>> #define KMVC_METHOD 0x0F
>> +#define MAX_PALSIZE 256
>>
>> /*
>> * Decoder context
>> @@ -43,7 +44,7 @@ typedef struct KmvcContext {
>>
>> int setpal;
>> int palsize;
>> - uint32_t pal[256];
>> + uint32_t pal[MAX_PALSIZE];
>> uint8_t *cur, *prev;
>> uint8_t *frm0, *frm1;
>> GetByteContext g;
>> @@ -380,6 +381,10 @@ static av_cold int decode_init(AVCodecContext * avctx)
>> c->palsize = 127;
>> } else {
>> c->palsize = AV_RL16(avctx->extradata + 10);
>> + if (c->palsize >= MAX_PALSIZE) {
is that really supposed to be >= ?
-Justin
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
