avcodec/xpmdec: do not allow number of colors to be higher than allocated

author Paul B Mahol <onemda@gmail.com>

Sun, 12 Mar 2017 21:51:00 +0000 (22:51 +0100)

committer Paul B Mahol <onemda@gmail.com>

Sun, 12 Mar 2017 22:03:02 +0000 (23:03 +0100)
author Paul B Mahol <onemda@gmail.com>
Sun, 12 Mar 2017 21:51:00 +0000 (22:51 +0100)
committer Paul B Mahol <onemda@gmail.com>
Sun, 12 Mar 2017 22:03:02 +0000 (23:03 +0100)
diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c

index 25ef992a1ccb551d95f64d6b904cd0f374430bb2..592f81ac3c4f84713ad67dc5117d25437c2384e2 100644 (file)
--- a/libavcodec/xpmdec.c
+++ b/libavcodec/xpmdec.c
@@ -328,29 +328,22 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data,
      if ((ret = ff_get_buffer(avctx, p, 0)) < 0)
          return ret;
  
-    if (ncolors <= 0) {
-        av_log(avctx, AV_LOG_ERROR, "invalid number of colors: %d\n", ncolors);
+    if (cpp <= 0 || cpp >= 5) {
+        av_log(avctx, AV_LOG_ERROR, "unsupported/invalid number of chars per pixel: %d\n", cpp);
          return AVERROR_INVALIDDATA;
      }
  
-    if (cpp <= 0) {
-        av_log(avctx, AV_LOG_ERROR, "invalid number of chars per pixel: %d\n", cpp);
+    size = 1;
+    for (i = 0; i < cpp; i++)
+        size *= 94;
+
+    if (ncolors <= 0 || ncolors > size) {
+        av_log(avctx, AV_LOG_ERROR, "invalid number of colors: %d\n", ncolors);
          return AVERROR_INVALIDDATA;
      }
  
-    size = 1;
-    j = 1;
-    for (i = 0; i < cpp; i++) {
-        size += j * 94;
-        j *= 95;
-    }
      size *= 4;
  
-    if (size < 0) {
-        av_log(avctx, AV_LOG_ERROR, "unsupported number of chars per pixel: %d\n", cpp);
-        return AVERROR(ENOMEM);
-    }
-
      av_fast_padded_malloc(&x->pixels, &x->pixels_size, size);
      if (!x->pixels)
          return AVERROR(ENOMEM);
author	Paul B Mahol <onemda@gmail.com>
	Sun, 12 Mar 2017 21:51:00 +0000 (22:51 +0100)
committer	Paul B Mahol <onemda@gmail.com>
	Sun, 12 Mar 2017 22:03:02 +0000 (23:03 +0100)