[FFmpeg-cvslog] r25546 - trunk/libavcodec/mjpegdec.c
michael
subversion
Fri Oct 22 00:44:44 CEST 2010
Author: michael
Date: Fri Oct 22 00:44:44 2010
New Revision: 25546
Log:
Check index in mjpeg AC decode against overflowing.
This fixes a possibly exploitable buffer overflow and it will likely also be needed for future overreading fixes.
Modified:
trunk/libavcodec/mjpegdec.c
Modified: trunk/libavcodec/mjpegdec.c
==============================================================================
--- trunk/libavcodec/mjpegdec.c Fri Oct 22 00:44:41 2010 (r25545)
+++ trunk/libavcodec/mjpegdec.c Fri Oct 22 00:44:44 2010 (r25546)
@@ -411,7 +411,7 @@ static int decode_block(MJpegDecodeConte
/* AC coefs */
i = 0;
{OPEN_READER(re, &s->gb)
- for(;;) {
+ do {
UPDATE_CACHE(re, &s->gb);
GET_VLC(code, re, &s->gb, s->vlcs[1][ac_index].table, 9, 2)
@@ -444,7 +444,7 @@ static int decode_block(MJpegDecodeConte
j = s->scantable.permutated[i];
block[j] = level * quant_matrix[j];
}
- }
+ }while(i<63);
CLOSE_READER(re, &s->gb)}
return 0;
@@ -511,6 +511,10 @@ static int decode_block_progressive(MJpe
}else{
if(run == 0xF){// ZRL - skip 15 coefficients
i += 15;
+ if (i >= se) {
+ av_log(s->avctx, AV_LOG_ERROR, "ZRL overflow: %d\n", i);
+ return -1;
+ }
}else{
val = (1 << run);
if(run){
More information about the ffmpeg-cvslog
mailing list