diff options
| author | Michael Niedermayer <[email protected]> | 2012-06-04 13:12:41 +0200 |
|---|---|---|
| committer | Michael Niedermayer <[email protected]> | 2012-06-04 13:12:41 +0200 |
| commit | a56b07b5dc4fdacbb038a9fc9d51e6b98e6d12d8 (patch) | |
| tree | 76f242090d28d996194ceab728be37801cdf9bb9 /libavcodec/kmvc.c | |
| parent | e05fd37e028aae55abe9725a18bea9c83e63bcfa (diff) | |
| parent | 64bc5f3bf75f6f009b66ba113da4afd1e7625d22 (diff) | |
Merge branch 'release/0.8' into release/0.7
* release/0.8:
Update RELEASE file for 0.7.6
Update changelog for 0.7.6 release
ea: check chunk_size for validity.
png: check bit depth for PAL8/Y400A pixel formats.
x86: fix build with gcc 4.7
qdm2: clip array indices returned by qdm2_get_vlc().
kmvc: Check palsize.
aacsbr: prevent out of bounds memcpy().
rtpdec_asf: Fix integer underflow that could allow remote code execution
dpcm: ignore extra unpaired bytes in stereo streams.
tqi: Pass errors from the MB decoder
h264: Add check for invalid chroma_format_idc
adpcm: ADPCM Electronic Arts has always two channels
h263dec: Disallow width/height changing with frame threads.
vqavideo: return error if image size is not a multiple of block size
celp filters: Do not read earlier than the start of the 'out' vector.
motionpixels: Clip YUV values after applying a gradient.
h263: more strictly forbid frame size changes with frame-mt.
h264: additional protection against unsupported size/bitdepth changes.
Update for 0.8.11
Conflicts:
Doxyfile
RELEASE
VERSION
Merged-by: Michael Niedermayer <[email protected]>
Diffstat (limited to 'libavcodec/kmvc.c')
| -rw-r--r-- | libavcodec/kmvc.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index 2d7b47c93f..793c6f1010 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -33,6 +33,7 @@ #define KMVC_KEYFRAME 0x80 #define KMVC_PALETTE 0x40 #define KMVC_METHOD 0x0F +#define MAX_PALSIZE 256 /* * Decoder context @@ -43,7 +44,7 @@ typedef struct KmvcContext { int setpal; int palsize; - uint32_t pal[256]; + uint32_t pal[MAX_PALSIZE]; uint8_t *cur, *prev; uint8_t *frm0, *frm1; } KmvcContext; @@ -415,6 +416,10 @@ static av_cold int decode_init(AVCodecContext * avctx) c->palsize = 127; } else { c->palsize = AV_RL16(avctx->extradata + 10); + if (c->palsize >= MAX_PALSIZE) { + av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n"); + return AVERROR_INVALIDDATA; + } } if (avctx->extradata_size == 1036) { // palette in extradata |