iff: validate CMAP palette size

Fixes CVE-2013-2495 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Luca Barbato <lu_zero@gentoo.org> CC: libav-stable@libav.org

iff: validate CMAP palette size
Fixes CVE-2013-2495 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Luca Barbato <lu_zero@gentoo.org> CC: libav-stable@libav.org
50c449ac · Kostya Shishkov · Luca Barbato · d1bec33b · 50c449ac
Commit 50c449ac authored Mar 17, 2013 by Kostya Shishkov Committed by Luca Barbato Mar 18, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

iff.c libavformat/iff.c +5 -0

No files found.
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -166,6 +166,11 @@ static int iff_read_header(AVFormatContext *s)
            break;

        case ID_CMAP:
+            if (data_size < 3 || data_size > 768 || data_size % 3) {
+                 av_log(s, AV_LOG_ERROR, "Invalid CMAP chunk size %d\n",
+                        data_size);
+                 return AVERROR_INVALIDDATA;
+            }
            st->codec->extradata_size = data_size;
            st->codec->extradata      = av_malloc(data_size);
            if (!st->codec->extradata)