From 386741f887714d3e46c9e8fe577e326a7964037b Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 26 Jan 2012 17:30:49 +0100 Subject: kmvc: Check palsize. Fixes: CVE-2011-3952 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Based on fix by Michael Niedermayer --- libavcodec/kmvc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'libavcodec/kmvc.c') diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index 2b54b84..a6bb13b 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -33,6 +33,7 @@ #define KMVC_KEYFRAME 0x80 #define KMVC_PALETTE 0x40 #define KMVC_METHOD 0x0F +#define MAX_PALSIZE 256 /* * Decoder context @@ -43,7 +44,7 @@ typedef struct KmvcContext { int setpal; int palsize; - uint32_t pal[256]; + uint32_t pal[MAX_PALSIZE]; uint8_t *cur, *prev; uint8_t *frm0, *frm1; GetByteContext g; @@ -380,6 +381,10 @@ static av_cold int decode_init(AVCodecContext * avctx) c->palsize = 127; } else { c->palsize = AV_RL16(avctx->extradata + 10); + if (c->palsize >= MAX_PALSIZE) { + av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n"); + return AVERROR_INVALIDDATA; + } } if (avctx->extradata_size == 1036) { // palette in extradata -- cgit v1.1 From ae35210a5d201e5ca7da83f46226681ceb3d5ad9 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Mon, 30 Jan 2012 10:27:50 -0800 Subject: kmvc: Log into a context at a log level constant. --- libavcodec/kmvc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'libavcodec/kmvc.c') diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index a6bb13b..f862154 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -377,7 +377,8 @@ static av_cold int decode_init(AVCodecContext * avctx) } if (avctx->extradata_size < 12) { - av_log(NULL, 0, "Extradata missing, decoding may not work properly...\n"); + av_log(avctx, AV_LOG_WARNING, + "Extradata missing, decoding may not work properly...\n"); c->palsize = 127; } else { c->palsize = AV_RL16(avctx->extradata + 10); -- cgit v1.1