[vlc-devel] [PATCH] png: fix crash on empty palettes
Tristan Matthews
le.businessman at gmail.com
Fri Feb 7 21:43:35 CET 2014
See CVE-2013-6954
---
modules/codec/png.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/modules/codec/png.c b/modules/codec/png.c
index b4d6ef4..3337ed8 100644
--- a/modules/codec/png.c
+++ b/modules/codec/png.c
@@ -193,7 +193,16 @@ static picture_t *DecodeBlock( decoder_t *p_dec, block_t **pp_block )
p_dec->fmt_out.video.i_bmask = 0x00ff0000;
if( i_color_type == PNG_COLOR_TYPE_PALETTE )
+ {
+ /* avoid CVE-2013-6954 */
+ int i_num_palette;
+ png_colorp p_palette;
+
+ if (!png_get_PLTE(p_png, p_info, &p_palette, &i_num_palette))
+ goto error;
+
png_set_palette_to_rgb( p_png );
+ }
if( i_color_type == PNG_COLOR_TYPE_GRAY ||
i_color_type == PNG_COLOR_TYPE_GRAY_ALPHA )
--
1.8.5.3
More information about the vlc-devel
mailing list