Check sanity in the palette loading operation. The addresses a potential security risk in

the MOV/MP4 demuxer. Originally committed as revision 11166 to svn://svn.ffmpeg.org/ffmpeg/trunk

Check sanity in the palette loading operation. The addresses a potential security risk in
the MOV/MP4 demuxer. Originally committed as revision 11166 to svn://svn.ffmpeg.org/ffmpeg/trunk
8b35bd80 · Mike Melanson · ab19baef · 8b35bd80
Commit 8b35bd80 authored Dec 05, 2007 by Mike Melanson
Show whitespace changes
Inline Side-by-side

Showing with 7 additions and 4 deletions

mov.c libavformat/mov.c +7 -4

No files found.
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -572,10 +572,10 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
    uint8_t codec_name[32];
    /* for palette traversal */
-    int color_depth;
+    unsigned int color_depth;
-    int color_start;
+    unsigned int color_start;
-    int color_count;
+    unsigned int color_count;
-    int color_end;
+    unsigned int color_end;
    int color_index;
    int color_dec;
    int color_greyscale;
@@ -701,6 +701,8 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
                    color_start = get_be32(pb);
                    color_count = get_be16(pb);
                    color_end = get_be16(pb);
+                    if ((color_start <= 255) &&
+                        (color_end <= 255)) {
                    for (j = color_start; j <= color_end; j++) {
                        /* each R, G, or B component is 16 bits;
                         * only use the top 8 bits; skip alpha bytes
@@ -717,6 +719,7 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
                            (r << 16) | (g << 8) | (b);
                        }
                    }
+                }
                st->codec->palctrl = &c->palette_control;
                st->codec->palctrl->palette_changed = 1;