From e3f8b322793d54b168cf51f59ff0ec76160e6f77 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sun, 30 Oct 2016 13:44:52 +0100
Subject: [PATCH] avcodec/8bps: Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 042faa847feea820451c474af0034fd3de9cff82)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/8bps.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c
index 2e4464dbb4..14f7bd5bf6 100644
--- a/libavcodec/8bps.c
+++ b/libavcodec/8bps.c
@@ -120,12 +120,15 @@ static int decode_frame(AVCodecContext *avctx, void *data,
     }
 
     if (avctx->bits_per_coded_sample <= 8) {
+        int size;
         const uint8_t *pal = av_packet_get_side_data(avpkt,
                                                      AV_PKT_DATA_PALETTE,
-                                                     NULL);
-        if (pal) {
+                                                     &size);
+        if (pal && size == AVPALETTE_SIZE) {
             frame->palette_has_changed = 1;
             memcpy(c->pal, pal, AVPALETTE_SIZE);
+        } else if (pal) {
+            av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size);
         }
 
         memcpy (frame->data[1], c->pal, AVPALETTE_SIZE);