Check for out of bounds writes in the Delphine Software International CIN decoder.
authorLaurent Aimar <fenrir@videolan.org>
Thu, 29 Sep 2011 22:05:51 +0000 (00:05 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Sun, 6 Nov 2011 18:49:11 +0000 (19:49 +0100)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3035c4034b6af3ad47f921e3385196e1b9d44ddf)
(cherry picked from commit 6e774cf67e6f30feb9b3dec11713d6b6dc0b521c)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/dsicinav.c

index f8093fc..0d9fe05 100644 (file)
@@ -215,6 +215,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
 
     /* handle palette */
     if (palette_type == 0) {
+        if (palette_colors_count > 256)
+            return AVERROR_INVALIDDATA;
         for (i = 0; i < palette_colors_count; ++i) {
             cin->palette[i] = bytestream_get_le24(&buf);
             bitmap_frame_size -= 3;