From 633f9974790e2c0cff6ffafddc1ce0224fb08329 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Tue, 19 Feb 2013 16:59:26 +0100
Subject: bmp: check available space when reading palette

Fixes out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/bmp.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'libavcodec/bmp.c')

diff --git a/libavcodec/bmp.c b/libavcodec/bmp.c
index ea221bcc06..dddc818691 100644
--- a/libavcodec/bmp.c
+++ b/libavcodec/bmp.c
@@ -261,6 +261,10 @@ static int bmp_decode_frame(AVCodecContext *avctx,
         buf = buf0 + 14 + ihsize; //palette location
         // OS/2 bitmap, 3 bytes per palette entry
         if ((hsize-ihsize-14) < (colors << 2)) {
+            if ((hsize-ihsize-14) < colors * 3) {
+                av_log(avctx, AV_LOG_ERROR, "palette doesnt fit in packet\n");
+                return AVERROR_INVALIDDATA;
+            }
             for (i = 0; i < colors; i++)
                 ((uint32_t*)p->data[1])[i] = (0xFFU<<24) | bytestream_get_le24(&buf);
         } else {
-- 
cgit v1.2.3