From 8b35bd806dd5424104a8a44a49da8b25d553dd10 Mon Sep 17 00:00:00 2001 From: Mike Melanson Date: Wed, 5 Dec 2007 04:30:33 +0000 Subject: [PATCH] Check sanity in the palette loading operation. The addresses a potential security risk in the MOV/MP4 demuxer. Originally committed as revision 11166 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavformat/mov.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6e6b8346b4..b598167e8b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -572,10 +572,10 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom) uint8_t codec_name[32]; /* for palette traversal */ - int color_depth; - int color_start; - int color_count; - int color_end; + unsigned int color_depth; + unsigned int color_start; + unsigned int color_count; + unsigned int color_end; int color_index; int color_dec; int color_greyscale; @@ -701,6 +701,8 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom) color_start = get_be32(pb); color_count = get_be16(pb); color_end = get_be16(pb); + if ((color_start <= 255) && + (color_end <= 255)) { for (j = color_start; j <= color_end; j++) { /* each R, G, or B component is 16 bits; * only use the top 8 bits; skip alpha bytes @@ -715,6 +717,7 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom) get_byte(pb); c->palette_control.palette[j] = (r << 16) | (g << 8) | (b); + } } }