[FFmpeg-devel] [PATCH 3/3] jv demuxer: prevent video packet size overflow

Sat Mar 12 03:31:49 CET 2011

In the event of overflow, the JV_PADDING state will avio_skip over
any overflow bytes (using JVFrame.total_size).
---
 libavformat/jvdec.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c
index 314a341..c27d8f6 100644
--- a/libavformat/jvdec.c
+++ b/libavformat/jvdec.c
@@ -116,6 +116,8 @@ static int read_header(AVFormatContext *s,
         jvf->audio_size = avio_rl32(pb);
         jvf->video_size = avio_rl32(pb);
         jvf->palette_size = avio_r8(pb) ? 768 : 0;
+        jvf->video_size = FFMIN(jvf->video_size, INT_MAX - JV_PREAMBLE_SIZE
+                                                         - jvf->palette_size);
         if (avio_r8(pb))
              av_log(s, AV_LOG_WARNING, "unsupported audio codec\n");
         jvf->video_type = avio_r8(pb);
-- 
1.7.1


-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20110312/60c9c28f/attachment.pgp>

