[FFmpeg-devel] [PATCH 3/3] jv demuxer: prevent video packet size overflow

Michael Niedermayer michaelni
Sat Mar 12 03:52:04 CET 2011


On Sat, Mar 12, 2011 at 01:31:49PM +1100, Peter Ross wrote:
> In the event of overflow, the JV_PADDING state will avio_skip over
> any overflow bytes (using JVFrame.total_size).
> ---
>  libavformat/jvdec.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c
> index 314a341..c27d8f6 100644
> --- a/libavformat/jvdec.c
> +++ b/libavformat/jvdec.c
> @@ -116,6 +116,8 @@ static int read_header(AVFormatContext *s,
>          jvf->audio_size = avio_rl32(pb);
>          jvf->video_size = avio_rl32(pb);
>          jvf->palette_size = avio_r8(pb) ? 768 : 0;
> +        jvf->video_size = FFMIN(jvf->video_size, INT_MAX - JV_PREAMBLE_SIZE
> +                                                         - jvf->palette_size);

have you considered that video_size is a signed int and can be negative?

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

it is not once nor twice but times without number that the same ideas make
their appearance in the world. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20110312/72070def/attachment.pgp>



More information about the ffmpeg-devel mailing list