[FFmpeg-cvslog] mss1: check number of free colours
Paul B Mahol
git at videolan.org
Tue Jun 26 01:07:46 CEST 2012
ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Mon Jun 25 22:45:08 2012 +0000| [e3c26705392e462fabf54366fbad3dbf6ec832d1] | committer: Paul B Mahol
mss1: check number of free colours
Prevents out of array write.
Signed-off-by: Paul B Mahol <onemda at gmail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e3c26705392e462fabf54366fbad3dbf6ec832d1
---
libavcodec/mss1.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavcodec/mss1.c b/libavcodec/mss1.c
index b9e3233..dfddbd9 100644
--- a/libavcodec/mss1.c
+++ b/libavcodec/mss1.c
@@ -783,6 +783,10 @@ static av_cold int mss1_decode_init(AVCodecContext *avctx)
av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d\n",
AV_RB32(avctx->extradata + 4), AV_RB32(avctx->extradata + 8));
c->free_colours = AV_RB32(avctx->extradata + 48);
+ if (c->free_colours < 0 || c->free_colours > 256) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid free colours %d\n", c->free_colours);
+ return AVERROR_INVALIDDATA;
+ }
av_log(avctx, AV_LOG_DEBUG, "%d free colour(s)\n", c->free_colours);
avctx->coded_width = AV_RB32(avctx->extradata + 20);
avctx->coded_height = AV_RB32(avctx->extradata + 24);
More information about the ffmpeg-cvslog
mailing list