Merge commit '31a77177ff323ef83944c60a8654891213ab6691' into release/1.1
authorMichael Niedermayer <michaelni@gmx.at>
Sun, 12 May 2013 09:21:41 +0000 (11:21 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Sun, 12 May 2013 09:21:41 +0000 (11:21 +0200)
* commit '31a77177ff323ef83944c60a8654891213ab6691':
  iff: validate CMAP palette size

Conflicts:
libavformat/iff.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
1  2 
libavformat/iff.c

@@@ -242,20 -165,17 +242,23 @@@ static int iff_read_header(AVFormatCont
              }
              break;
  
 +        case ID_CAMG:
 +            if (data_size < 4)
 +                return AVERROR_INVALIDDATA;
 +            screenmode                = avio_rb32(pb);
 +            break;
 +
          case ID_CMAP:
-             if (data_size > INT_MAX - IFF_EXTRA_VIDEO_SIZE - FF_INPUT_BUFFER_PADDING_SIZE)
-                 return AVERROR_INVALIDDATA;
+             if (data_size < 3 || data_size > 768 || data_size % 3) {
+                  av_log(s, AV_LOG_ERROR, "Invalid CMAP chunk size %d\n",
+                         data_size);
+                  return AVERROR_INVALIDDATA;
+             }
 -            st->codec->extradata_size = data_size;
 -            st->codec->extradata      = av_malloc(data_size);
 +            st->codec->extradata_size = data_size + IFF_EXTRA_VIDEO_SIZE;
 +            st->codec->extradata      = av_malloc(data_size + IFF_EXTRA_VIDEO_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
              if (!st->codec->extradata)
                  return AVERROR(ENOMEM);
 -            if (avio_read(pb, st->codec->extradata, data_size) < 0)
 +            if (avio_read(pb, st->codec->extradata + IFF_EXTRA_VIDEO_SIZE, data_size) < 0)
                  return AVERROR(EIO);
              break;