diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2016-08-04 13:26:41 +0300 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2016-08-08 19:37:07 +0300 |
commit | 6aa39080ccea2b60433e920417844c3a3c0da50b (patch) | |
tree | 450a310cfa952f321891fb0e7943f0635e896afe /libavcodec/rawdec.c | |
parent | 3bf142c77337814458ed8e036796934032d9837f (diff) |
avcodec/rawdec: Fix palette handling with changing palettes
Fixes out of array access
Fixes: poc.swf
Found-by: 连一汉 <lianyihan@360.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec/rawdec.c')
-rw-r--r-- | libavcodec/rawdec.c | 25 |
1 files changed, 17 insertions, 8 deletions
diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 765e567d1f..f97a839f5d 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -365,20 +365,29 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, if (avctx->pix_fmt == AV_PIX_FMT_PAL8) { const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); - if (pal) { - av_buffer_unref(&context->palette); + int ret; + if (!context->palette) context->palette = av_buffer_alloc(AVPALETTE_SIZE); - if (!context->palette) { - av_buffer_unref(&frame->buf[0]); - return AVERROR(ENOMEM); - } + if (!context->palette) { + av_buffer_unref(&frame->buf[0]); + return AVERROR(ENOMEM); + } + ret = av_buffer_make_writable(&context->palette); + if (ret < 0) { + av_buffer_unref(&frame->buf[0]); + return ret; + } + + if (pal) { memcpy(context->palette->data, pal, AVPALETTE_SIZE); frame->palette_has_changed = 1; } else if (context->is_nut_pal8) { int vid_size = avctx->width * avctx->height; - if (avpkt->size - vid_size) { + int pal_size = avpkt->size - vid_size; + + if (avpkt->size > vid_size && pal_size <= AVPALETTE_SIZE) { pal = avpkt->data + vid_size; - memcpy(context->palette->data, pal, avpkt->size - vid_size); + memcpy(context->palette->data, pal, pal_size); frame->palette_has_changed = 1; } } |