[FFmpeg-cvslog] mss1: validate number of changeable palette entries

Thu Jun 28 01:09:06 CEST 2012

ffmpeg | branch: master | Kostya Shishkov <kostya.shishkov at gmail.com> | Wed Jun 27 10:11:19 2012 +0200| [15358ade152ebc28fcc824e09ad9206597c281df] | committer: Kostya Shishkov

mss1: validate number of changeable palette entries

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=15358ade152ebc28fcc824e09ad9206597c281df
---

 libavcodec/mss1.c |    6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/mss1.c b/libavcodec/mss1.c
index 062cf3a..523a961 100644
--- a/libavcodec/mss1.c
+++ b/libavcodec/mss1.c
@@ -783,6 +783,12 @@ static av_cold int mss1_decode_init(AVCodecContext *avctx)
     av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d\n",
            AV_RB32(avctx->extradata + 4), AV_RB32(avctx->extradata + 8));
     c->free_colours     = AV_RB32(avctx->extradata + 48);
+    if ((unsigned)c->free_colours > 256) {
+        av_log(avctx, AV_LOG_ERROR,
+               "Incorrect number of changeable palette entries: %d\n",
+               c->free_colours);
+        return AVERROR_INVALIDDATA;
+    }
     av_log(avctx, AV_LOG_DEBUG, "%d free colour(s)\n", c->free_colours);
     avctx->coded_width  = AV_RB32(avctx->extradata + 20);
     avctx->coded_height = AV_RB32(avctx->extradata + 24);

