vqa: check palette chunk size before reading data.

Prevents overreads beyond buffer boundaries. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
author: Ronald S. Bultje <rsbultje@gmail.com> 2012-03-21 15:19:31 -0700
committer: Ronald S. Bultje <rsbultje@gmail.com> 2012-03-22 12:17:14 -0700
commit: 75d7975268394f4f16294b68ec6d6d5ac30da3ac (patch)
tree: 6c1810bd5095a0a2f02166690bdd8d32cfe8eab1 /libavcodec/vqavideo.c
parent: d462949974668ffb013467d12dc4934b9106fe19 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index 2bb9e2f2f8..54699a0ade 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -396,7 +396,7 @@ static int vqa_decode_chunk(VqaContext *s)
         bytestream2_seek(&s->gb, cpl0_chunk, SEEK_SET);
         chunk_size = bytestream2_get_be32(&s->gb);
         /* sanity check the palette size */
-        if (chunk_size / 3 > 256) {
+        if (chunk_size / 3 > 256 || chunk_size > bytestream2_get_bytes_left(&s->gb)) {
             av_log(s->avctx, AV_LOG_ERROR, "  VQA video: problem: found a palette chunk with %d colors\n",
                 chunk_size / 3);
             return AVERROR_INVALIDDATA;
author	Ronald S. Bultje <rsbultje@gmail.com>	2012-03-21 15:19:31 -0700
committer	Ronald S. Bultje <rsbultje@gmail.com>	2012-03-22 12:17:14 -0700
commit	75d7975268394f4f16294b68ec6d6d5ac30da3ac (patch)
tree	6c1810bd5095a0a2f02166690bdd8d32cfe8eab1 /libavcodec/vqavideo.c
parent	d462949974668ffb013467d12dc4934b9106fe19 (diff)