Merge commit '31a77177ff323ef83944c60a8654891213ab6691' into release/1.1

* commit '31a77177ff323ef83944c60a8654891213ab6691': iff: validate CMAP palette size Conflicts: libavformat/iff.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-05-12 11:21:41 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2013-05-12 11:21:41 +0200
commit: 008ae91bcca7f9bc3ae5d04e92f925b0ab771f07 (patch)
tree: 5d242936ad91b9f51b5ec26f5b166d06f0372abf
parent: 2922ab7e6fecd56942323b27065c21f5332b0588 (diff)
parent: 31a77177ff323ef83944c60a8654891213ab6691 (diff)
download: ffmpeg-008ae91bcca7f9bc3ae5d04e92f925b0ab771f07.tar.gz
1 files changed, 5 insertions, 2 deletions
diff --git a/libavformat/iff.c b/libavformat/iff.c
index ffd9231fc9..02ba33c181 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -249,8 +249,11 @@ static int iff_read_header(AVFormatContext *s)
             break;
 
         case ID_CMAP:
-            if (data_size > INT_MAX - IFF_EXTRA_VIDEO_SIZE - FF_INPUT_BUFFER_PADDING_SIZE)
-                return AVERROR_INVALIDDATA;
+            if (data_size < 3 || data_size > 768 || data_size % 3) {
+                 av_log(s, AV_LOG_ERROR, "Invalid CMAP chunk size %d\n",
+                        data_size);
+                 return AVERROR_INVALIDDATA;
+            }
             st->codec->extradata_size = data_size + IFF_EXTRA_VIDEO_SIZE;
             st->codec->extradata      = av_malloc(data_size + IFF_EXTRA_VIDEO_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
             if (!st->codec->extradata)
author	Michael Niedermayer <michaelni@gmx.at>	2013-05-12 11:21:41 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2013-05-12 11:21:41 +0200
commit	008ae91bcca7f9bc3ae5d04e92f925b0ab771f07 (patch)
tree	5d242936ad91b9f51b5ec26f5b166d06f0372abf
parent	2922ab7e6fecd56942323b27065c21f5332b0588 (diff)
parent	31a77177ff323ef83944c60a8654891213ab6691 (diff)
download	ffmpeg-008ae91bcca7f9bc3ae5d04e92f925b0ab771f07.tar.gz