avformat/ipmovie: Check that OPCODE_SET_PALETTE size is large enough

Fixes use of uninitialized memory
Fixes: msan_uninit-mem_7fec1f40656c_4819_descent3_level5_16bit_partial.mve
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

diff --git a/libavformat/ipmovie.c b/libavformat/ipmovie.c
index db95c49..3c53686 100644 (file)
--- a/libavformat/ipmovie.c
+++ b/libavformat/ipmovie.c
@@ -451,8 +451,8 @@ static int process_ipmovie_chunk(IPMVEContext *s, AVIOContext *pb,
             av_dlog(NULL, "set palette\n");
             /* check for the logical maximum palette size
              * (3 * 256 + 4 bytes) */
-            if (opcode_size > 0x304) {
-                av_dlog(NULL, "demux_ipmovie: set_palette opcode too large\n");
+            if (opcode_size > 0x304 || opcode_size < 4) {
+                av_dlog(NULL, "demux_ipmovie: set_palette opcode with invalid size\n");
                 chunk_type = CHUNK_BAD;
                 break;
             }