Browse code
smacker: error out if palette copy-with-offset overruns palette size.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Ronald S. Bultje authored on 2012/03/07 10:24:20Showing 1 changed files
| ... | ... |
@@ -265,8 +265,15 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) |
| 265 | 265 |
sz += (t & 0x7F) + 1; |
| 266 | 266 |
pal += ((t & 0x7F) + 1) * 3; |
| 267 | 267 |
} else if(t & 0x40){ /* copy with offset */
|
| 268 |
- off = avio_r8(s->pb) * 3; |
|
| 268 |
+ off = avio_r8(s->pb); |
|
| 269 | 269 |
j = (t & 0x3F) + 1; |
| 270 |
+ if (off + j > 0xff) {
|
|
| 271 |
+ av_log(s, AV_LOG_ERROR, |
|
| 272 |
+ "Invalid palette update, offset=%d length=%d extends beyond palette size\n", |
|
| 273 |
+ off, j); |
|
| 274 |
+ return AVERROR_INVALIDDATA; |
|
| 275 |
+ } |
|
| 276 |
+ off *= 3; |
|
| 270 | 277 |
while(j-- && sz < 256) {
|
| 271 | 278 |
*pal++ = oldpal[off + 0]; |
| 272 | 279 |
*pal++ = oldpal[off + 1]; |