[vlc-devel] [PATCH v2] png: fix crash on empty palettes
Tristan Matthews
le.businessman at gmail.com
Fri Feb 7 22:03:29 CET 2014
See CVE-2013-6954, this only affects libpng 1.6.1-1.6.7.
---
modules/codec/png.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/modules/codec/png.c b/modules/codec/png.c
index b4d6ef4..c120338 100644
--- a/modules/codec/png.c
+++ b/modules/codec/png.c
@@ -193,7 +193,18 @@ static picture_t *DecodeBlock( decoder_t *p_dec, block_t **pp_block )
p_dec->fmt_out.video.i_bmask = 0x00ff0000;
if( i_color_type == PNG_COLOR_TYPE_PALETTE )
+ {
+ /* avoid CVE-2013-6954 */
+#if PNG_LIBPNG_VER >= 10601 && PNG_LIBPNG_VER <= 10607
+ int i_num_palette;
+ png_colorp p_palette;
+
+ if( !png_get_PLTE( p_png, p_info, &p_palette, &i_num_palette ) )
+ goto error;
+#endif
+
png_set_palette_to_rgb( p_png );
+ }
if( i_color_type == PNG_COLOR_TYPE_GRAY ||
i_color_type == PNG_COLOR_TYPE_GRAY_ALPHA )
--
1.8.5.3
More information about the vlc-devel
mailing list