On Fri, Jan 27, 2012 at 8:40 PM, Justin Ruggles <[email protected]> wrote: > On 01/27/2012 11:34 PM, Justin Ruggles wrote: > >> On 01/27/2012 07:55 PM, Alex Converse wrote: >> >>> Fixes: CVE-2011-3952 >>> >>> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind >>> Based on fix by Michael Niedermayer >>> --- >>> libavcodec/kmvc.c | 7 ++++++- >>> 1 files changed, 6 insertions(+), 1 deletions(-) >>> >>> diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c >>> index 2b54b84..14438fa 100644 >>> --- a/libavcodec/kmvc.c >>> +++ b/libavcodec/kmvc.c >>> @@ -33,6 +33,7 @@ >>> #define KMVC_KEYFRAME 0x80 >>> #define KMVC_PALETTE 0x40 >>> #define KMVC_METHOD 0x0F >>> +#define MAX_PALSIZE 256 >>> >>> /* >>> * Decoder context >>> @@ -43,7 +44,7 @@ typedef struct KmvcContext { >>> >>> int setpal; >>> int palsize; >>> - uint32_t pal[256]; >>> + uint32_t pal[MAX_PALSIZE]; >>> uint8_t *cur, *prev; >>> uint8_t *frm0, *frm1; >>> GetByteContext g; >>> @@ -380,6 +381,10 @@ static av_cold int decode_init(AVCodecContext * avctx) >>> c->palsize = 127; >>> } else { >>> c->palsize = AV_RL16(avctx->extradata + 10); >>> + if (c->palsize >= MAX_PALSIZE) { > > > is that really supposed to be >= ? >
yes because index zero is unused. _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
