[FFmpeg-devel] [PATCH 15/36] avcodec/mjpega_dump_header_bsf: Don't overread
Andreas Rheinhardt
andreas.rheinhardt at gmail.com
Sat May 30 19:05:20 EEST 2020
When encountering an SOS marker, the two bytes after this marker are
read, too. So one needs to make sure that these two bytes are still part
of the packet's data. And when one checks whether the input already is
of the desired format, one has to make sure that the place where one
searches the "mjpg" tag is actually contained in the given data.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
---
libavcodec/mjpega_dump_header_bsf.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libavcodec/mjpega_dump_header_bsf.c b/libavcodec/mjpega_dump_header_bsf.c
index 40c4c690ab..1cd2b48719 100644
--- a/libavcodec/mjpega_dump_header_bsf.c
+++ b/libavcodec/mjpega_dump_header_bsf.c
@@ -62,7 +62,7 @@ static int mjpega_dump_header(AVBSFContext *ctx, AVPacket *out)
bytestream_put_be32(&out_buf, in->size + 44U); /* pad field size */
bytestream_put_be32(&out_buf, 0); /* next ptr */
- for (i = 0; i < in->size - 1; i++) {
+ for (i = 0; i < in->size - 3; i++) {
if (in->data[i] == 0xff) {
switch (in->data[i + 1]) {
case DQT: dqt = i + 46U; break;
@@ -80,7 +80,7 @@ static int mjpega_dump_header(AVBSFContext *ctx, AVPacket *out)
av_packet_free(&in);
return 0;
case APP1:
- if (i + 8U < in->size && AV_RL32(in->data + i + 8) == AV_RL32("mjpg")) {
+ if (i + 12U <= in->size && AV_RL32(in->data + i + 8) == AV_RL32("mjpg")) {
av_log(ctx, AV_LOG_ERROR, "bitstream already formatted\n");
av_packet_unref(out);
av_packet_move_ref(out, in);
@@ -90,7 +90,7 @@ static int mjpega_dump_header(AVBSFContext *ctx, AVPacket *out)
}
}
}
- av_log(ctx, AV_LOG_ERROR, "could not find SOS marker in bitstream\n");
+ av_log(ctx, AV_LOG_ERROR, "No valid SOS marker in bitstream\n");
fail:
av_packet_unref(out);
av_packet_free(&in);
--
2.20.1
More information about the ffmpeg-devel
mailing list