diff --git a/ChangeLog b/ChangeLog index 254aef2a55..1ac54ba9c0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2006-03-10 Tim-Philipp Müller + + * gst-libs/gst/riff/riff-media.c: (gst_riff_create_video_caps): + Make sure we don't read beyond the palette buffer in case of + broken or manipulated files (#333488, patch by: Fabrizio + Gennari) + 2006-03-10 Edward Hervey * gst/typefind/gsttypefindfunctions.c: (mp3_type_find_at_offset): diff --git a/gst-libs/gst/riff/riff-media.c b/gst-libs/gst/riff/riff-media.c index 01b6082db7..ebdebf1d65 100644 --- a/gst-libs/gst/riff/riff-media.c +++ b/gst-libs/gst/riff/riff-media.c @@ -556,21 +556,25 @@ gst_riff_create_video_caps (guint32 codec_fcc, else num_colors = 256; - /* palette is always at least 256*4 bytes */ - copy = gst_buffer_new_and_alloc (MAX (num_colors * 4, 256 * 4)); - memcpy (GST_BUFFER_DATA (copy), GST_BUFFER_DATA (palette), - GST_BUFFER_SIZE (palette)); + if (GST_BUFFER_SIZE (palette) >= (num_colors * 4)) { + /* palette is always at least 256*4 bytes */ + copy = gst_buffer_new_and_alloc (MAX (num_colors * 4, 256 * 4)); + memcpy (GST_BUFFER_DATA (copy), GST_BUFFER_DATA (palette), + GST_BUFFER_SIZE (palette)); #if (G_BYTE_ORDER == G_BIG_ENDIAN) - gint n; - guint32 *data = (guint32 *) GST_BUFFER_DATA (copy); + gint n; + guint32 *data = (guint32 *) GST_BUFFER_DATA (copy); - /* own endianness */ - for (n = 0; n < num_colors; n++) - data[n] = GUINT32_FROM_LE (data[n]); + /* own endianness */ + for (n = 0; n < num_colors; n++) + data[n] = GUINT32_FROM_LE (data[n]); #endif - gst_caps_set_simple (caps, "palette_data", GST_TYPE_BUFFER, copy, NULL); - gst_buffer_unref (copy); + gst_caps_set_simple (caps, "palette_data", GST_TYPE_BUFFER, copy, NULL); + gst_buffer_unref (copy); + } else { + GST_WARNING ("Palette smaller than expected: broken file"); + } } return caps;