Check sanity in the palette loading operation. The addresses a potential security risk in

the MOV/MP4 demuxer.

Originally committed as revision 11166 to svn://svn.ffmpeg.org/ffmpeg/trunk
pull/126/head
Mike Melanson 17 years ago
parent ab19baef36
commit 8b35bd806d
  1. 11
      libavformat/mov.c

@ -572,10 +572,10 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
uint8_t codec_name[32]; uint8_t codec_name[32];
/* for palette traversal */ /* for palette traversal */
int color_depth; unsigned int color_depth;
int color_start; unsigned int color_start;
int color_count; unsigned int color_count;
int color_end; unsigned int color_end;
int color_index; int color_index;
int color_dec; int color_dec;
int color_greyscale; int color_greyscale;
@ -701,6 +701,8 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
color_start = get_be32(pb); color_start = get_be32(pb);
color_count = get_be16(pb); color_count = get_be16(pb);
color_end = get_be16(pb); color_end = get_be16(pb);
if ((color_start <= 255) &&
(color_end <= 255)) {
for (j = color_start; j <= color_end; j++) { for (j = color_start; j <= color_end; j++) {
/* each R, G, or B component is 16 bits; /* each R, G, or B component is 16 bits;
* only use the top 8 bits; skip alpha bytes * only use the top 8 bits; skip alpha bytes
@ -715,6 +717,7 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
get_byte(pb); get_byte(pb);
c->palette_control.palette[j] = c->palette_control.palette[j] =
(r << 16) | (g << 8) | (b); (r << 16) | (g << 8) | (b);
}
} }
} }

Loading…
Cancel
Save