[FFmpeg-devel] [PATCH] some length validation for mjpegdec
Stefano Sabatini
stefano.sabatini-lala
Fri Jul 23 18:56:43 CEST 2010
On date Friday 2010-07-23 18:55:17 +0200, Reimar D?ffinger encoded:
> Hello,
> seems like in some places we might read far beyond the get_bits
> buffer and crash.
> Attached is an attempt to fix it.
> Some of the existing code doing such checks could be simplify
> by using get_bits_left, too.
>
> Reimar
> Index: libavcodec/mjpegdec.c
> ===================================================================
> --- libavcodec/mjpegdec.c (revision 24435)
> +++ libavcodec/mjpegdec.c (working copy)
> @@ -118,6 +118,10 @@
> int len, index, i, j;
>
> len = get_bits(&s->gb, 16) - 2;
> + if (len > get_bits_left(&s->gb) >> 3) {
> + av_log(s->avctx, AV_LOG_ERROR, "decode_dht: not enough data\n");
> + return -1;
AVERROR_INVALIDDATA
here and below.
[...]
Regards.
--
FFmpeg = Fanciful Fascinating Mean Powerful Entertaining Gargoyle
More information about the ffmpeg-devel
mailing list