diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-03-08 02:28:40 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-03-08 02:51:45 +0100 |
| commit | bf807a5e874442aa3fe1b475459cdd509e34bff4 (patch) | |
| tree | f8067bfb5e99b8b8e2716a7ea8519a4aaa8ac60f /libavformat/smacker.c | |
| parent | 4cda8aa1c5bc58f8a7f53a21a19b03e7379bbcdc (diff) | |
| parent | 6eda85e15b38863a627fd0602098aa3250174698 (diff) | |
| download | ffmpeg-bf807a5e874442aa3fe1b475459cdd509e34bff4.tar.gz | |
Merge remote-tracking branch 'qatar/master'
* qatar/master: (29 commits)
sbrdsp.asm: convert all instructions to float/SSE ones.
dv: cosmetics.
dv: check buffer size before reading profile.
Revert "AAC SBR: group some writes."
udp: Print an error message if bind fails
cook: extend channel uncoupling tables so the full bit range is covered.
roqvideo: cosmetics.
roqvideo: convert to bytestream2 API.
dca: don't use av_clip_uintp2().
wmall: fix build with -DDEBUG enabled.
smc: port to bytestream2 API.
AAC SBR: group some writes.
dsputil: remove shift parameter from scalarproduct_int16
SBR DSP: unroll sum_square
rv34: remove dead code in intra availability check
rv34: clean a bit availability checks.
v4l2: update documentation
tgq: convert to bytestream2 API.
parser: remove forward declaration of MpegEncContext
dca: prevent accessing static arrays with invalid indexes.
...
Conflicts:
doc/indevs.texi
libavcodec/Makefile
libavcodec/dca.c
libavcodec/dvdata.c
libavcodec/eatgq.c
libavcodec/mmvideo.c
libavcodec/roqvideodec.c
libavcodec/smc.c
libswscale/output.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavformat/smacker.c')
| -rw-r--r-- | libavformat/smacker.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/libavformat/smacker.c b/libavformat/smacker.c index c023b0ea27..a3545f4ac7 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -267,8 +267,15 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) sz += (t & 0x7F) + 1; pal += ((t & 0x7F) + 1) * 3; } else if(t & 0x40){ /* copy with offset */ - off = avio_r8(s->pb) * 3; + off = avio_r8(s->pb); j = (t & 0x3F) + 1; + if (off + j > 0xff) { + av_log(s, AV_LOG_ERROR, + "Invalid palette update, offset=%d length=%d extends beyond palette size\n", + off, j); + return AVERROR_INVALIDDATA; + } + off *= 3; while(j-- && sz < 256) { *pal++ = oldpal[off + 0]; *pal++ = oldpal[off + 1]; |