[FFmpeg-cvslog] iff: validate CMAP palette size
Kostya Shishkov
git at videolan.org
Mon Mar 18 17:35:33 CET 2013
ffmpeg | branch: master | Kostya Shishkov <kostya.shishkov at gmail.com> | Sun Mar 17 20:22:19 2013 +0100| [50c449ac24fbb4c03c15d2e2026cef2204b80385] | committer: Luca Barbato
iff: validate CMAP palette size
Fixes CVE-2013-2495
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>
CC: libav-stable at libav.org
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=50c449ac24fbb4c03c15d2e2026cef2204b80385
---
libavformat/iff.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavformat/iff.c b/libavformat/iff.c
index ab22e11..79f5f16 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -166,6 +166,11 @@ static int iff_read_header(AVFormatContext *s)
break;
case ID_CMAP:
+ if (data_size < 3 || data_size > 768 || data_size % 3) {
+ av_log(s, AV_LOG_ERROR, "Invalid CMAP chunk size %d\n",
+ data_size);
+ return AVERROR_INVALIDDATA;
+ }
st->codec->extradata_size = data_size;
st->codec->extradata = av_malloc(data_size);
if (!st->codec->extradata)
More information about the ffmpeg-cvslog
mailing list