kvmc: Check palsize.

Fixes: CVE-2011-3952 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-01-26 17:30:49 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-01-26 17:30:49 +0100
commit: 70dba1e3c856e86e1780c0a324abbce034f0c7da (patch)
tree: 92d5cf226a3622d527141ba9f37420d75692cb5d /libavcodec/kmvc.c
parent: 1860c66c5460e21314202be3624768d7e1bf45b0 (diff)
download: ffmpeg-streaming-70dba1e3c856e86e1780c0a324abbce034f0c7da.zip
ffmpeg-streaming-70dba1e3c856e86e1780c0a324abbce034f0c7da.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c
index 20cc212..9c98bad 100644
--- a/libavcodec/kmvc.c
+++ b/libavcodec/kmvc.c
@@ -380,6 +380,11 @@ static av_cold int decode_init(AVCodecContext * avctx)
         c->palsize = 127;
     } else {
         c->palsize = AV_RL16(avctx->extradata + 10);
+        if (c->palsize > 255U) {
+            c->palsize = 127;
+            av_log(NULL, AV_LOG_ERROR, "palsize too big\n");
+            return -1;
+        }
     }
 
     if (avctx->extradata_size == 1036) {        // palette in extradata
author	Michael Niedermayer <michaelni@gmx.at>	2012-01-26 17:30:49 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-01-26 17:30:49 +0100
commit	70dba1e3c856e86e1780c0a324abbce034f0c7da (patch)
tree	92d5cf226a3622d527141ba9f37420d75692cb5d /libavcodec/kmvc.c
parent	1860c66c5460e21314202be3624768d7e1bf45b0 (diff)
download	ffmpeg-streaming-70dba1e3c856e86e1780c0a324abbce034f0c7da.zip ffmpeg-streaming-70dba1e3c856e86e1780c0a324abbce034f0c7da.tar.gz