# HG changeset patch
# User melanson
# Date 1196829033 0
# Node ID 17086a5269381fd479b23c9839ab6634e8ab2808
# Parent  a8b9018a4ffbeffe328798a65497f9bd39cc19c6
Check sanity in the palette loading operation. The addresses a potential security risk in
the MOV/MP4 demuxer.

diff -r a8b9018a4ffb -r 17086a526938 mov.c
--- a/mov.c	Tue Dec 04 23:43:01 2007 +0000
+++ b/mov.c	Wed Dec 05 04:30:33 2007 +0000
@@ -572,10 +572,10 @@
     uint8_t codec_name[32];
 
     /* for palette traversal */
-    int color_depth;
-    int color_start;
-    int color_count;
-    int color_end;
+    unsigned int color_depth;
+    unsigned int color_start;
+    unsigned int color_count;
+    unsigned int color_end;
     int color_index;
     int color_dec;
     int color_greyscale;
@@ -701,6 +701,8 @@
                     color_start = get_be32(pb);
                     color_count = get_be16(pb);
                     color_end = get_be16(pb);
+                    if ((color_start <= 255) &&
+                        (color_end <= 255)) {
                     for (j = color_start; j <= color_end; j++) {
                         /* each R, G, or B component is 16 bits;
                          * only use the top 8 bits; skip alpha bytes
@@ -715,6 +717,7 @@
                         get_byte(pb);
                         c->palette_control.palette[j] =
                             (r << 16) | (g << 8) | (b);
+                        }
                     }
                 }