[FFmpeg-cvslog] jvdec: Do not feed the decoder with known wrong data
Luca Barbato
git at videolan.org
Sat Dec 21 00:12:59 CET 2013
ffmpeg | branch: master | Luca Barbato <lu_zero at gentoo.org> | Fri Dec 13 03:07:57 2013 +0100| [15739a9bd19a7d47ad8afb25348c684a3bdd6ef2] | committer: Luca Barbato
jvdec: Do not feed the decoder with known wrong data
Still assume the size value is right in non-explode mode.
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=15739a9bd19a7d47ad8afb25348c684a3bdd6ef2
---
libavformat/jvdec.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c
index 6bf220f..17ce326 100644
--- a/libavformat/jvdec.c
+++ b/libavformat/jvdec.c
@@ -128,10 +128,23 @@ static int read_header(AVFormatContext *s)
jvf->audio_size = avio_rl32(pb);
jvf->video_size = avio_rl32(pb);
jvf->palette_size = avio_r8(pb) ? 768 : 0;
- jvf->video_size = FFMIN(FFMAX(jvf->video_size, 0),
- INT_MAX - JV_PREAMBLE_SIZE - jvf->palette_size);
+
+ if ((jvf->video_size | jvf->audio_size) & ~0xFFFFFF ||
+ e->size - jvf->audio_size
+ - jvf->video_size
+ - jvf->palette_size < 0) {
+ if (s->error_recognition & AV_EF_EXPLODE) {
+ read_close(s);
+ return AVERROR_INVALIDDATA;
+ }
+ jvf->audio_size =
+ jvf->video_size =
+ jvf->palette_size = 0;
+ }
+
if (avio_r8(pb))
av_log(s, AV_LOG_WARNING, "unsupported audio codec\n");
+
jvf->video_type = avio_r8(pb);
avio_skip(pb, 1);
More information about the ffmpeg-cvslog
mailing list