mss2: do not try to read too many palette entries

Reported by Michael Niedermayer <michaelni@gmx.at>

Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>

diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c
index ce3cfb8..9914562 100644 (file)
--- a/libavcodec/mss2.c
+++ b/libavcodec/mss2.c
@@ -161,7 +161,7 @@ static int decode_pal_v2(MSS12Context *ctx, const uint8_t *buf, int buf_size)
         return 0;
 
     ncol = *buf++;
-    if (buf_size < 2 + ncol * 3)
+    if (ncol > ctx->free_colours || buf_size < 2 + ncol * 3)
         return -1;
     for (i = 0; i < ncol; i++)
         *pal++ = AV_RB24(buf + 3 * i);