diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2016-08-04 12:26:41 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2016-08-08 18:40:56 +0200 |
| commit | 19d2921bbfec13c7a843bdbdb5687cf821b02cff (patch) | |
| tree | 3fb02bf2b1121b3b045287718c530a4fe75fea99 | |
| parent | e160064d39d5f08a1b206660b6ad8855acb8897d (diff) | |
| download | ffmpeg-19d2921bbfec13c7a843bdbdb5687cf821b02cff.tar.gz | |
avcodec/rawdec: Fix palette handling with changing palettes
Fixes out of array access
Fixes: poc.swf
Found-by: 连一汉 <lianyihan@360.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6aa39080ccea2b60433e920417844c3a3c0da50b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavcodec/rawdec.c | 25 |
1 files changed, 17 insertions, 8 deletions
diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 765e567d1f..f97a839f5d 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -365,20 +365,29 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, if (avctx->pix_fmt == AV_PIX_FMT_PAL8) { const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); - if (pal) { - av_buffer_unref(&context->palette); + int ret; + if (!context->palette) context->palette = av_buffer_alloc(AVPALETTE_SIZE); - if (!context->palette) { - av_buffer_unref(&frame->buf[0]); - return AVERROR(ENOMEM); - } + if (!context->palette) { + av_buffer_unref(&frame->buf[0]); + return AVERROR(ENOMEM); + } + ret = av_buffer_make_writable(&context->palette); + if (ret < 0) { + av_buffer_unref(&frame->buf[0]); + return ret; + } + + if (pal) { memcpy(context->palette->data, pal, AVPALETTE_SIZE); frame->palette_has_changed = 1; } else if (context->is_nut_pal8) { int vid_size = avctx->width * avctx->height; - if (avpkt->size - vid_size) { + int pal_size = avpkt->size - vid_size; + + if (avpkt->size > vid_size && pal_size <= AVPALETTE_SIZE) { pal = avpkt->data + vid_size; - memcpy(context->palette->data, pal, avpkt->size - vid_size); + memcpy(context->palette->data, pal, pal_size); frame->palette_has_changed = 1; } } |