projects / platform / upstream / libav.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d1bec33)
iff: validate CMAP palette size
authorKostya Shishkov <kostya.shishkov@gmail.com>
Sun, 17 Mar 2013 19:22:19 +0000 (20:22 +0100)
committerLuca Barbato <lu_zero@gentoo.org>
Mon, 18 Mar 2013 09:48:29 +0000 (10:48 +0100)
Fixes CVE-2013-2495

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
libavformat/iff.c patch | blob | history

diff --git a/libavformat/iff.c b/libavformat/iff.c
index ab22e11..79f5f16 100644 (file)
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -166,6 +166,11 @@ static int iff_read_header(AVFormatContext *s)
             break;
 
         case ID_CMAP:
+            if (data_size < 3 || data_size > 768 || data_size % 3) {
+                 av_log(s, AV_LOG_ERROR, "Invalid CMAP chunk size %d\n",
+                        data_size);
+                 return AVERROR_INVALIDDATA;
+            }
             st->codec->extradata_size = data_size;
             st->codec->extradata      = av_malloc(data_size);
             if (!st->codec->extradata)
Domain: Multimedia / Media Content;