From 50c449ac24fbb4c03c15d2e2026cef2204b80385 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sun, 17 Mar 2013 20:22:19 +0100 Subject: [PATCH] iff: validate CMAP palette size Fixes CVE-2013-2495 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Luca Barbato CC: libav-stable@libav.org --- libavformat/iff.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index ab22e118f0..79f5f16050 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -166,6 +166,11 @@ static int iff_read_header(AVFormatContext *s) break; case ID_CMAP: + if (data_size < 3 || data_size > 768 || data_size % 3) { + av_log(s, AV_LOG_ERROR, "Invalid CMAP chunk size %d\n", + data_size); + return AVERROR_INVALIDDATA; + } st->codec->extradata_size = data_size; st->codec->extradata = av_malloc(data_size); if (!st->codec->extradata)