diff options
author | Mike Melanson <mike@multimedia.cx> | 2007-12-05 04:30:33 +0000 |
---|---|---|
committer | Mike Melanson <mike@multimedia.cx> | 2007-12-05 04:30:33 +0000 |
commit | 8b35bd806dd5424104a8a44a49da8b25d553dd10 (patch) | |
tree | d9c2f2ad5a2bfd3f4a315b959b2e8be7339f7567 /libavformat/mov.c | |
parent | ab19baef36a4989768245d845a009cde753aafff (diff) | |
download | ffmpeg-8b35bd806dd5424104a8a44a49da8b25d553dd10.tar.gz |
Check sanity in the palette loading operation. The addresses a potential security risk in
the MOV/MP4 demuxer.
Originally committed as revision 11166 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavformat/mov.c')
-rw-r--r-- | libavformat/mov.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index 6e6b8346b4..b598167e8b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -572,10 +572,10 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom) uint8_t codec_name[32]; /* for palette traversal */ - int color_depth; - int color_start; - int color_count; - int color_end; + unsigned int color_depth; + unsigned int color_start; + unsigned int color_count; + unsigned int color_end; int color_index; int color_dec; int color_greyscale; @@ -701,6 +701,8 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom) color_start = get_be32(pb); color_count = get_be16(pb); color_end = get_be16(pb); + if ((color_start <= 255) && + (color_end <= 255)) { for (j = color_start; j <= color_end; j++) { /* each R, G, or B component is 16 bits; * only use the top 8 bits; skip alpha bytes @@ -715,6 +717,7 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom) get_byte(pb); c->palette_control.palette[j] = (r << 16) | (g << 8) | (b); + } } } |