mss1: check number of free colours

Prevents out of array write. Signed-off-by: Paul B Mahol <onemda@gmail.com>
author: Paul B Mahol <onemda@gmail.com> 2012-06-25 22:45:08 +0000
committer: Paul B Mahol <onemda@gmail.com> 2012-06-25 23:07:18 +0000
commit: e3c26705392e462fabf54366fbad3dbf6ec832d1 (patch)
tree: 358131ca3e99584554ed3be5e07aea44ba370851 /libavcodec/mss1.c
parent: 8a0cd58729364c7d8cf4361aa586f3d0dc43ebb4 (diff)
download: ffmpeg-e3c26705392e462fabf54366fbad3dbf6ec832d1.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/mss1.c b/libavcodec/mss1.c
index b9e32331ab..dfddbd97ec 100644
--- a/libavcodec/mss1.c
+++ b/libavcodec/mss1.c
@@ -783,6 +783,10 @@ static av_cold int mss1_decode_init(AVCodecContext *avctx)
     av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d\n",
            AV_RB32(avctx->extradata + 4), AV_RB32(avctx->extradata + 8));
     c->free_colours     = AV_RB32(avctx->extradata + 48);
+    if (c->free_colours < 0 || c->free_colours > 256) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid free colours %d\n", c->free_colours);
+        return AVERROR_INVALIDDATA;
+    }
     av_log(avctx, AV_LOG_DEBUG, "%d free colour(s)\n", c->free_colours);
     avctx->coded_width  = AV_RB32(avctx->extradata + 20);
     avctx->coded_height = AV_RB32(avctx->extradata + 24);
author	Paul B Mahol <onemda@gmail.com>	2012-06-25 22:45:08 +0000
committer	Paul B Mahol <onemda@gmail.com>	2012-06-25 23:07:18 +0000
commit	e3c26705392e462fabf54366fbad3dbf6ec832d1 (patch)
tree	358131ca3e99584554ed3be5e07aea44ba370851 /libavcodec/mss1.c
parent	8a0cd58729364c7d8cf4361aa586f3d0dc43ebb4 (diff)
download	ffmpeg-e3c26705392e462fabf54366fbad3dbf6ec832d1.tar.gz