avcodec/interplayvideo: Check side data size before use

michaelni · michaelni · commit 85d23e5cbc9a · 2016-10-25T04:46:02.000+02:00
Fixes out of array read

Found-by: Thomas Garnier using libFuzzer
Signed-off-by: Michael Niedermayer &lt;michael@niedermayer.cc&gt;
diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c
@@ -1013,10 +1013,13 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
         return ret;
 
     if (!s->is_16bpp) {
-        const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL);
-        if (pal) {
+        int size;
+        const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size);
+        if (pal && size == AVPALETTE_SIZE) {
             frame->palette_has_changed = 1;
             memcpy(s->pal, pal, AVPALETTE_SIZE);
+        } else if (pal) {
+            av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size);
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -1013,10 +1013,13 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,`
`1013`	`1013`	`return ret;`
`1014`	`1014`
`1015`	`1015`	`if (!s->is_16bpp) {`
`1016`		`- const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL);`
`1017`		`- if (pal) {`
	`1016`	`+ int size;`
	`1017`	`+ const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size);`
	`1018`	`+ if (pal && size == AVPALETTE_SIZE) {`
`1018`	`1019`	`frame->palette_has_changed = 1;`
`1019`	`1020`	`memcpy(s->pal, pal, AVPALETTE_SIZE);`
	`1021`	`+ } else if (pal) {`
	`1022`	`+ av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size);`
`1020`	`1023`	`}`
`1021`	`1024`	`}`
`1022`	`1025`