bmp: check available space when reading palette

Fixes out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-02-19 16:59:26 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2013-02-19 17:00:04 +0100
commit: 633f9974790e2c0cff6ffafddc1ce0224fb08329 (patch)
tree: 9fa59c11d3a03c3db59e1b2971f5a29865457a1e /libavcodec/bmp.c
parent: 1acd7d594c15aa491729c837ad3519d3469e620a (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/bmp.c b/libavcodec/bmp.c
index ea221bcc06..dddc818691 100644
--- a/libavcodec/bmp.c
+++ b/libavcodec/bmp.c
@@ -261,6 +261,10 @@ static int bmp_decode_frame(AVCodecContext *avctx,
         buf = buf0 + 14 + ihsize; //palette location
         // OS/2 bitmap, 3 bytes per palette entry
         if ((hsize-ihsize-14) < (colors << 2)) {
+            if ((hsize-ihsize-14) < colors * 3) {
+                av_log(avctx, AV_LOG_ERROR, "palette doesnt fit in packet\n");
+                return AVERROR_INVALIDDATA;
+            }
             for (i = 0; i < colors; i++)
                 ((uint32_t*)p->data[1])[i] = (0xFFU<<24) | bytestream_get_le24(&buf);
         } else {
author	Michael Niedermayer <michaelni@gmx.at>	2013-02-19 16:59:26 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2013-02-19 17:00:04 +0100
commit	633f9974790e2c0cff6ffafddc1ce0224fb08329 (patch)
tree	9fa59c11d3a03c3db59e1b2971f5a29865457a1e /libavcodec/bmp.c
parent	1acd7d594c15aa491729c837ad3519d3469e620a (diff)