From 6aa39080ccea2b60433e920417844c3a3c0da50b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Aug 2016 12:26:41 +0200 Subject: [PATCH] avcodec/rawdec: Fix palette handling with changing palettes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes out of array access Fixes: poc.swf Found-by: 连一汉 Signed-off-by: Michael Niedermayer --- libavcodec/rawdec.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 765e567d1f..f97a839f5d 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -365,20 +365,29 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, if (avctx->pix_fmt == AV_PIX_FMT_PAL8) { const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); - if (pal) { - av_buffer_unref(&context->palette); + int ret; + if (!context->palette) context->palette = av_buffer_alloc(AVPALETTE_SIZE); - if (!context->palette) { - av_buffer_unref(&frame->buf[0]); - return AVERROR(ENOMEM); - } + if (!context->palette) { + av_buffer_unref(&frame->buf[0]); + return AVERROR(ENOMEM); + } + ret = av_buffer_make_writable(&context->palette); + if (ret < 0) { + av_buffer_unref(&frame->buf[0]); + return ret; + } + + if (pal) { memcpy(context->palette->data, pal, AVPALETTE_SIZE); frame->palette_has_changed = 1; } else if (context->is_nut_pal8) { int vid_size = avctx->width * avctx->height; - if (avpkt->size - vid_size) { + int pal_size = avpkt->size - vid_size; + + if (avpkt->size > vid_size && pal_size <= AVPALETTE_SIZE) { pal = avpkt->data + vid_size; - memcpy(context->palette->data, pal, avpkt->size - vid_size); + memcpy(context->palette->data, pal, pal_size); frame->palette_has_changed = 1; } }