diff options
author | Kostya Shishkov <kostya.shishkov@gmail.com> | 2013-03-17 20:22:19 +0100 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2013-05-09 20:05:52 +0200 |
commit | f844cb9bced3148fca2db5bbb092929526108005 (patch) | |
tree | b62dedab2c9155aedafe4275cdd8fcdcf5c0b365 | |
parent | 280998b13cb8f8c8f771fbdf9257c6a8694577da (diff) | |
download | ffmpeg-f844cb9bced3148fca2db5bbb092929526108005.tar.gz |
iff: validate CMAP palette size
Fixes CVE-2013-2495
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit 50c449ac24fbb4c03c15d2e2026cef2204b80385)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 31a77177ff323ef83944c60a8654891213ab6691)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
-rw-r--r-- | libavformat/iff.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libavformat/iff.c b/libavformat/iff.c index 2b84986aff..2943f7edab 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -173,6 +173,11 @@ static int iff_read_header(AVFormatContext *s, break; case ID_CMAP: + if (data_size < 3 || data_size > 768 || data_size % 3) { + av_log(s, AV_LOG_ERROR, "Invalid CMAP chunk size %d\n", + data_size); + return AVERROR_INVALIDDATA; + } st->codec->extradata_size = data_size; st->codec->extradata = av_malloc(data_size); if (!st->codec->extradata) |