[FFmpeg-devel] [PATCH 3/3] jv demuxer: prevent video packet size overflow
Michael Niedermayer
michaelni
Sat Mar 12 03:52:04 CET 2011
On Sat, Mar 12, 2011 at 01:31:49PM +1100, Peter Ross wrote:
> In the event of overflow, the JV_PADDING state will avio_skip over
> any overflow bytes (using JVFrame.total_size).
> ---
> libavformat/jvdec.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c
> index 314a341..c27d8f6 100644
> --- a/libavformat/jvdec.c
> +++ b/libavformat/jvdec.c
> @@ -116,6 +116,8 @@ static int read_header(AVFormatContext *s,
> jvf->audio_size = avio_rl32(pb);
> jvf->video_size = avio_rl32(pb);
> jvf->palette_size = avio_r8(pb) ? 768 : 0;
> + jvf->video_size = FFMIN(jvf->video_size, INT_MAX - JV_PREAMBLE_SIZE
> + - jvf->palette_size);
have you considered that video_size is a signed int and can be negative?
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
it is not once nor twice but times without number that the same ideas make
their appearance in the world. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20110312/72070def/attachment.pgp>
More information about the ffmpeg-devel
mailing list