Check sanity in the palette loading operation. The addresses a potential security risk in

the MOV/MP4 demuxer. Originally committed as revision 11166 to svn://svn.ffmpeg.org/ffmpeg/trunk
2025-03-23 04:24:35 +02:00 · 2007-12-05 04:30:33 +00:00 · 2007-12-05 04:30:33 +00:00 · 8b35bd806d
commit 8b35bd806d
parent ab19baef36
1 changed files with 7 additions and 4 deletions
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@ -572,10 +572,10 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
    uint8_t codec_name[32];

    /* for palette traversal */
-    int color_depth;
-    int color_start;
-    int color_count;
-    int color_end;
+    unsigned int color_depth;
+    unsigned int color_start;
+    unsigned int color_count;
+    unsigned int color_end;
    int color_index;
    int color_dec;
    int color_greyscale;
@ -701,6 +701,8 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
                    color_start = get_be32(pb);
                    color_count = get_be16(pb);
                    color_end = get_be16(pb);
+                    if ((color_start <= 255) &&
+                        (color_end <= 255)) {
                    for (j = color_start; j <= color_end; j++) {
                        /* each R, G, or B component is 16 bits;
                         * only use the top 8 bits; skip alpha bytes
@ -715,6 +717,7 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
                        get_byte(pb);
                        c->palette_control.palette[j] =
                            (r << 16) | (g << 8) | (b);
+                        }
                    }
                }