aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat/iff.c
diff options
context:
space:
mode:
authorKostya Shishkov <kostya.shishkov@gmail.com>2013-03-17 20:22:19 +0100
committerLuca Barbato <lu_zero@gentoo.org>2013-03-18 10:48:29 +0100
commit50c449ac24fbb4c03c15d2e2026cef2204b80385 (patch)
tree6e9d79f016daa81b095360679e80395be3a77365 /libavformat/iff.c
parentd1bec33b46091546c5b2e6815210e73f87abf413 (diff)
downloadffmpeg-50c449ac24fbb4c03c15d2e2026cef2204b80385.tar.gz
iff: validate CMAP palette size
Fixes CVE-2013-2495 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Luca Barbato <lu_zero@gentoo.org> CC: libav-stable@libav.org
Diffstat (limited to 'libavformat/iff.c')
-rw-r--r--libavformat/iff.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/libavformat/iff.c b/libavformat/iff.c
index ab22e118f0..79f5f16050 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -166,6 +166,11 @@ static int iff_read_header(AVFormatContext *s)
break;
case ID_CMAP:
+ if (data_size < 3 || data_size > 768 || data_size % 3) {
+ av_log(s, AV_LOG_ERROR, "Invalid CMAP chunk size %d\n",
+ data_size);
+ return AVERROR_INVALIDDATA;
+ }
st->codec->extradata_size = data_size;
st->codec->extradata = av_malloc(data_size);
if (!st->codec->extradata)