virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-15 14:13:16 +02:00
Code Issues Releases Activity

Check sanity in the palette loading operation. The addresses a potential security risk in

Browse Source 
the MOV/MP4 demuxer.

Originally committed as revision 11166 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Mike Melanson
2007-12-05 04:30:33 +00:00
parent ab19baef36
commit 8b35bd806d
1 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
libavformat/mov.c
View File

@@ -572,10 +572,10 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
uint8_t codec_name[32]; uint8_t codec_name[32];
/* for palette traversal */ /* for palette traversal */
int color_depth; unsigned int color_depth;
int color_start; unsigned int color_start;
int color_count; unsigned int color_count;
int color_end; unsigned int color_end;
int color_index; int color_index;
int color_dec; int color_dec;
int color_greyscale; int color_greyscale;
@@ -701,6 +701,8 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
color_start = get_be32(pb); color_start = get_be32(pb);
color_count = get_be16(pb); color_count = get_be16(pb);
color_end = get_be16(pb); color_end = get_be16(pb);
if ((color_start <= 255) &&
(color_end <= 255)) {
for (j = color_start; j <= color_end; j++) { for (j = color_start; j <= color_end; j++) {
/* each R, G, or B component is 16 bits; /* each R, G, or B component is 16 bits;
* only use the top 8 bits; skip alpha bytes * only use the top 8 bits; skip alpha bytes
@@ -715,6 +717,7 @@ static int mov_read_stsd(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
get_byte(pb); get_byte(pb);
c->palette_control.palette[j] = c->palette_control.palette[j] =
(r << 16) | (g << 8) | (b); (r << 16) | (g << 8) | (b);
}
} }
} }