[FFmpeg-cvslog] kvmc: Check palsize.
Reimar Döffinger
Reimar.Doeffinger at gmx.de
Thu Jan 26 22:00:33 CET 2012
On 26 Jan 2012, at 17:46, git at videolan.org (Michael Niedermayer) wrote:
> ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Thu Jan 26 17:30:49 2012 +0100| [70dba1e3c856e86e1780c0a324abbce034f0c7da] | committer: Michael Niedermayer
>
> kvmc: Check palsize.
>
> Fixes: CVE-2011-3952
>
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
>
>> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=70dba1e3c856e86e1780c0a324abbce034f0c7da
> ---
>
> libavcodec/kmvc.c | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c
> index 20cc212..9c98bad 100644
> --- a/libavcodec/kmvc.c
> +++ b/libavcodec/kmvc.c
> @@ -380,6 +380,11 @@ static av_cold int decode_init(AVCodecContext * avctx)
> c->palsize = 127;
> } else {
> c->palsize = AV_RL16(avctx->extradata + 10);
> + if (c->palsize > 255U) {
> + c->palsize = 127;
What is the logic behind leaving 255 unchanged but changing 256 to 127?
I think that should be a comment, it is non-obvious why a simple clip is not the best solution.
More information about the ffmpeg-cvslog
mailing list