generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

smacker: error out if palette copy-with-offset overruns palette size.

Browse Source 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit a93b572ae4)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Ronald S. Bultje
2012-03-06 17:24:20 -08:00
committed by Reinhard Tartler
parent 12247a13e0
commit c3bf08d04c
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
libavformat/smacker.c
View File

@@ -265,8 +265,15 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
sz += (t & 0x7F) + 1;
pal += ((t & 0x7F) + 1) * 3;
} else if(t & 0x40){ /* copy with offset */
off = avio_r8(s->pb) * 3;
off = avio_r8(s->pb);
j = (t & 0x3F) + 1;
if (off + j > 0xff) {
av_log(s, AV_LOG_ERROR,
"Invalid palette update, offset=%d length=%d extends beyond palette size\n",
off, j);
return AVERROR_INVALIDDATA;
}
off *= 3;
while(j-- && sz < 256) {
*pal++ = oldpal[off + 0];
*pal++ = oldpal[off + 1];