[FFmpeg-cvslog] kvmc: Check palsize.
Michael Niedermayer
michaelni at gmx.at
Thu Jan 26 22:05:21 CET 2012
On Thu, Jan 26, 2012 at 10:00:33PM +0100, Reimar Döffinger wrote:
> On 26 Jan 2012, at 17:46, git at videolan.org (Michael Niedermayer) wrote:
>
> > ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Thu Jan 26 17:30:49 2012 +0100| [70dba1e3c856e86e1780c0a324abbce034f0c7da] | committer: Michael Niedermayer
> >
> > kvmc: Check palsize.
> >
> > Fixes: CVE-2011-3952
> >
> > Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> > Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> >
> >> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=70dba1e3c856e86e1780c0a324abbce034f0c7da
> > ---
> >
> > libavcodec/kmvc.c | 5 +++++
> > 1 files changed, 5 insertions(+), 0 deletions(-)
> >
> > diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c
> > index 20cc212..9c98bad 100644
> > --- a/libavcodec/kmvc.c
> > +++ b/libavcodec/kmvc.c
> > @@ -380,6 +380,11 @@ static av_cold int decode_init(AVCodecContext * avctx)
> > c->palsize = 127;
> > } else {
> > c->palsize = AV_RL16(avctx->extradata + 10);
> > + if (c->palsize > 255U) {
> > + c->palsize = 127;
>
> What is the logic behind leaving 255 unchanged but changing 256 to 127?
> I think that should be a comment, it is non-obvious why a simple clip is not the best solution.
256 if left results in out of array writes.
setting the variable to a safe value is probably better than leaving
it at a invalid one, why 127 ? no specific reason beyond that its the
default
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
You can kill me, but you cannot change the truth.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-cvslog/attachments/20120126/db135709/attachment.asc>
More information about the ffmpeg-cvslog
mailing list