[FFmpeg-cvslog] iff: validate CMAP palette size

Kostya Shishkov git at videolan.org
Sun Apr 7 16:08:21 CEST 2013


ffmpeg | branch: release/0.10 | Kostya Shishkov <kostya.shishkov at gmail.com> | Sun Mar 17 20:22:19 2013 +0100| [36aad4f1cc707feb15f071260a99f239b6623a59] | committer: Reinhard Tartler

iff: validate CMAP palette size

Fixes CVE-2013-2495

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>

CC: libav-stable at libav.org
(cherry picked from commit 50c449ac24fbb4c03c15d2e2026cef2204b80385)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>
(cherry picked from commit 31a77177ff323ef83944c60a8654891213ab6691)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=36aad4f1cc707feb15f071260a99f239b6623a59
---

 libavformat/iff.c |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavformat/iff.c b/libavformat/iff.c
index b895cf2..4552985 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -159,6 +159,11 @@ static int iff_read_header(AVFormatContext *s,
             break;
 
         case ID_CMAP:
+            if (data_size < 3 || data_size > 768 || data_size % 3) {
+                 av_log(s, AV_LOG_ERROR, "Invalid CMAP chunk size %d\n",
+                        data_size);
+                 return AVERROR_INVALIDDATA;
+            }
             st->codec->extradata_size = data_size;
             st->codec->extradata      = av_malloc(data_size);
             if (!st->codec->extradata)



More information about the ffmpeg-cvslog mailing list