avcodec/g2meet: check available space before copying palette

michaelni · michaelni · commit 6d9dad6a7cb5 · 2013-11-27T00:10:23.000+01:00
Fixes out of array read
Fixes: asan_heap-uaf_ae6067_5415_g2m4.wmv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer &lt;michaelni@gmx.at&gt;
diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c
@@ -375,6 +375,8 @@ static int kempf_decode_tile(G2MContext *c, int tile_x, int tile_y,
         src += 3;
     }
     npal = *src++ + 1;
+    if (src_end - src < npal * 3)
+        return AVERROR_INVALIDDATA;
     memcpy(pal, src, npal * 3); src += npal * 3;
     if (sub_type != 2) {
         for (i = 0; i < npal; i++) {

Original file line number	Diff line number	Diff line change
`@@ -375,6 +375,8 @@ static int kempf_decode_tile(G2MContext *c, int tile_x, int tile_y,`
`375`	`375`	`src += 3;`
`376`	`376`	`}`
`377`	`377`	`npal = *src++ + 1;`
	`378`	`+ if (src_end - src < npal * 3)`
	`379`	`+ return AVERROR_INVALIDDATA;`
`378`	`380`	`memcpy(pal, src, npal * 3); src += npal * 3;`
`379`	`381`	`if (sub_type != 2) {`
`380`	`382`	`for (i = 0; i < npal; i++) {`