diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2013-12-18 23:43:20 +0100 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2013-12-18 23:44:52 +0100 |
commit | 947e40b9feb8cd2817ce1bce0d2f6735b1144480 (patch) | |
tree | 0577d340cefeef22d64bafbb84645ab079849140 | |
parent | 5f0d552c9b4cd83812d8e1619b96c294401141d1 (diff) | |
download | ffmpeg-947e40b9feb8cd2817ce1bce0d2f6735b1144480.tar.gz |
avformat/ipmovie: Check that OPCODE_SET_PALETTE size is large enough
Fixes use of uninitialized memory
Fixes: msan_uninit-mem_7fec1f40656c_4819_descent3_level5_16bit_partial.mve
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavformat/ipmovie.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavformat/ipmovie.c b/libavformat/ipmovie.c index db95c49811..3c53686a6a 100644 --- a/libavformat/ipmovie.c +++ b/libavformat/ipmovie.c @@ -451,8 +451,8 @@ static int process_ipmovie_chunk(IPMVEContext *s, AVIOContext *pb, av_dlog(NULL, "set palette\n"); /* check for the logical maximum palette size * (3 * 256 + 4 bytes) */ - if (opcode_size > 0x304) { - av_dlog(NULL, "demux_ipmovie: set_palette opcode too large\n"); + if (opcode_size > 0x304 || opcode_size < 4) { + av_dlog(NULL, "demux_ipmovie: set_palette opcode with invalid size\n"); chunk_type = CHUNK_BAD; break; } |