Check sanity in the palette loading operation. The addresses a potential security risk in

the MOV/MP4 demuxer.

Originally committed as revision 11166 to svn://svn.ffmpeg.org/ffmpeg/trunk

1 files changed, 7 insertions, 4 deletions

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 6e6b8346b4..b598167e8b 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -572,10 +572,10 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
     uint8_t codec_name[32];
 
     /* for palette traversal */
-    int color_depth;
-    int color_start;
-    int color_count;
-    int color_end;
+    unsigned int color_depth;
+    unsigned int color_start;
+    unsigned int color_count;
+    unsigned int color_end;
     int color_index;
     int color_dec;
     int color_greyscale;
@@ -701,6 +701,8 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
                     color_start = get_be32(pb);
                     color_count = get_be16(pb);
                     color_end = get_be16(pb);
+                    if ((color_start <= 255) &&
+                        (color_end <= 255)) {
                     for (j = color_start; j <= color_end; j++) {
                         /* each R, G, or B component is 16 bits;
                          * only use the top 8 bits; skip alpha bytes
@@ -715,6 +717,7 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
                         get_byte(pb);
                         c->palette_control.palette[j] =
                             (r << 16) | (g << 8) | (b);
+                        }
                     }
                 }