kmvc: Check palsize.

Fixes: CVE-2011-3952 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Based on fix by Michael Niedermayer

kmvc: Check palsize.
Fixes: CVE-2011-3952 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Based on fix by Michael Niedermayer
386741f8 · Alex Converse · c898431c · 386741f8
Commit 386741f8 authored Jan 26, 2012 by Alex Converse
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

kmvc.c libavcodec/kmvc.c +6 -1

No files found.
--- a/libavcodec/kmvc.c
+++ b/libavcodec/kmvc.c
@@ -33,6 +33,7 @@
 #define KMVC_KEYFRAME 0x80
 #define KMVC_PALETTE  0x40
 #define KMVC_METHOD   0x0F
+#define MAX_PALSIZE   256

 /*
 * Decoder context
@@ -43,7 +44,7 @@ typedef struct KmvcContext {

    int setpal;
    int palsize;
-    uint32_t pal[256];
+    uint32_t pal[MAX_PALSIZE];
    uint8_t *cur, *prev;
    uint8_t *frm0, *frm1;
    GetByteContext g;
@@ -380,6 +381,10 @@ static av_cold int decode_init(AVCodecContext * avctx)
        c->palsize = 127;
    } else {
        c->palsize = AV_RL16(avctx->extradata + 10);
+        if (c->palsize >= MAX_PALSIZE) {
+            av_log(avctx, AV_LOG_ERROR, "KMVC palette too large\n");
+            return AVERROR_INVALIDDATA;
+        }
    }

    if (avctx->extradata_size == 1036) {        // palette in extradata