kmvc: Check palsize.

Fixes: CVE-2011-3952 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Based on fix by Michael Niedermayer (cherry picked from commit 386741f887714d3e46c9e8fe577e326a7964037b) (cherry picked from commit 416849f2e06227b1b4a451c392f100db1d709a0c) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Alex Converse <alex.converse@gmail.com> 2012-01-26 17:30:49 +0100
committer: Reinhard Tartler <siretart@tauware.de> 2012-05-29 15:40:57 +0200
commit: 75d8cccf0efb95c8a43b2a84f18013600eed877f (patch)
tree: 8be2c66869ea52bc6af6a2068e4c49efca6c1331
parent: d87997b56f2725dc33ba262d895060a29ba5000d (diff)
download: ffmpeg-75d8cccf0efb95c8a43b2a84f18013600eed877f.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c
index 033d3d7998..ff83b86ddf 100644
--- a/libavcodec/kmvc.c
+++ b/libavcodec/kmvc.c
@@ -33,6 +33,7 @@
 #define KMVC_KEYFRAME 0x80
 #define KMVC_PALETTE  0x40
 #define KMVC_METHOD   0x0F
+#define MAX_PALSIZE   256
 
 /*
  * Decoder context
@@ -43,7 +44,7 @@ typedef struct KmvcContext {
 
     int setpal;
     int palsize;
-    uint32_t pal[256];
+    uint32_t pal[MAX_PALSIZE];
     uint8_t *cur, *prev;
     uint8_t *frm0, *frm1;
 } KmvcContext;
@@ -414,6 +415,10 @@ static av_cold int decode_init(AVCodecContext * avctx)
         c->palsize = 127;
     } else {
         c->palsize = AV_RL16(avctx->extradata + 10);
+        if (c->palsize >= MAX_PALSIZE) {
+            av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n");
+            return AVERROR_INVALIDDATA;
+        }
     }
 
     if (avctx->extradata_size == 1036) {        // palette in extradata
author	Alex Converse <alex.converse@gmail.com>	2012-01-26 17:30:49 +0100
committer	Reinhard Tartler <siretart@tauware.de>	2012-05-29 15:40:57 +0200
commit	75d8cccf0efb95c8a43b2a84f18013600eed877f (patch)
tree	8be2c66869ea52bc6af6a2068e4c49efca6c1331
parent	d87997b56f2725dc33ba262d895060a29ba5000d (diff)
download	ffmpeg-75d8cccf0efb95c8a43b2a84f18013600eed877f.tar.gz