Mercurial > libavformat.hg
comparison mov.c @ 2809:17086a526938 libavformat
Check sanity in the palette loading operation. The addresses a potential security risk in
the MOV/MP4 demuxer.
| author | melanson |
|---|---|
| date | Wed, 05 Dec 2007 04:30:33 +0000 |
| parents | 5bf4b9df2794 |
| children | e106e4b43718 |
comparison
equal
deleted
inserted
replaced
| 2808:a8b9018a4ffb | 2809:17086a526938 |
|---|---|
| 570 int entries, frames_per_sample; | 570 int entries, frames_per_sample; |
| 571 uint32_t format; | 571 uint32_t format; |
| 572 uint8_t codec_name[32]; | 572 uint8_t codec_name[32]; |
| 573 | 573 |
| 574 /* for palette traversal */ | 574 /* for palette traversal */ |
| 575 int color_depth; | 575 unsigned int color_depth; |
| 576 int color_start; | 576 unsigned int color_start; |
| 577 int color_count; | 577 unsigned int color_count; |
| 578 int color_end; | 578 unsigned int color_end; |
| 579 int color_index; | 579 int color_index; |
| 580 int color_dec; | 580 int color_dec; |
| 581 int color_greyscale; | 581 int color_greyscale; |
| 582 const uint8_t *color_table; | 582 const uint8_t *color_table; |
| 583 int j; | 583 int j; |
| 699 | 699 |
| 700 /* load the palette from the file */ | 700 /* load the palette from the file */ |
| 701 color_start = get_be32(pb); | 701 color_start = get_be32(pb); |
| 702 color_count = get_be16(pb); | 702 color_count = get_be16(pb); |
| 703 color_end = get_be16(pb); | 703 color_end = get_be16(pb); |
| 704 if ((color_start <= 255) && | |
| 705 (color_end <= 255)) { | |
| 704 for (j = color_start; j <= color_end; j++) { | 706 for (j = color_start; j <= color_end; j++) { |
| 705 /* each R, G, or B component is 16 bits; | 707 /* each R, G, or B component is 16 bits; |
| 706 * only use the top 8 bits; skip alpha bytes | 708 * only use the top 8 bits; skip alpha bytes |
| 707 * up front */ | 709 * up front */ |
| 708 get_byte(pb); | 710 get_byte(pb); |
| 713 get_byte(pb); | 715 get_byte(pb); |
| 714 b = get_byte(pb); | 716 b = get_byte(pb); |
| 715 get_byte(pb); | 717 get_byte(pb); |
| 716 c->palette_control.palette[j] = | 718 c->palette_control.palette[j] = |
| 717 (r << 16) | (g << 8) | (b); | 719 (r << 16) | (g << 8) | (b); |
| 720 } | |
| 718 } | 721 } |
| 719 } | 722 } |
| 720 | 723 |
| 721 st->codec->palctrl = &c->palette_control; | 724 st->codec->palctrl = &c->palette_control; |
| 722 st->codec->palctrl->palette_changed = 1; | 725 st->codec->palctrl->palette_changed = 1; |