[SCM] libav/experimental: Check sanity in the palette loading operation. The addresses a potential security risk in the MOV/MP4 demuxer.
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Sun Jun 30 16:10:08 UTC 2013
The following commit has been merged in the experimental branch:
commit 8b35bd806dd5424104a8a44a49da8b25d553dd10
Author: Mike Melanson <mike at multimedia.cx>
Date: Wed Dec 5 04:30:33 2007 +0000
Check sanity in the palette loading operation. The addresses a potential security risk in
the MOV/MP4 demuxer.
Originally committed as revision 11166 to svn://svn.ffmpeg.org/ffmpeg/trunk
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 6e6b834..b598167 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -572,10 +572,10 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
uint8_t codec_name[32];
/* for palette traversal */
- int color_depth;
- int color_start;
- int color_count;
- int color_end;
+ unsigned int color_depth;
+ unsigned int color_start;
+ unsigned int color_count;
+ unsigned int color_end;
int color_index;
int color_dec;
int color_greyscale;
@@ -701,6 +701,8 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
color_start = get_be32(pb);
color_count = get_be16(pb);
color_end = get_be16(pb);
+ if ((color_start <= 255) &&
+ (color_end <= 255)) {
for (j = color_start; j <= color_end; j++) {
/* each R, G, or B component is 16 bits;
* only use the top 8 bits; skip alpha bytes
@@ -715,6 +717,7 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
get_byte(pb);
c->palette_control.palette[j] =
(r << 16) | (g << 8) | (b);
+ }
}
}
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list