[FFmpeg-devel] [PATCH 5/5] avformat/jpegxl_anim_dec: avoid overrun with jxlp boxes in container
Leo Izen
leo.izen at gmail.com
Thu Jun 8 17:26:37 EEST 2023
This should avoid overrunning buffers with jxlp boxes if the size is
zero or if the size is so small the box is invalid.
Signed-off-by: Leo Izen <leo.izen at gmail.com>
---
libavformat/jpegxl_anim_dec.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c
index 6ea6c46d8f..c9e4dcd5fc 100644
--- a/libavformat/jpegxl_anim_dec.c
+++ b/libavformat/jpegxl_anim_dec.c
@@ -76,8 +76,14 @@ static int jpegxl_collect_codestream_header(const uint8_t *input_buffer, int inp
tag = AV_RL32(b);
b += 4;
if (tag == MKTAG('j', 'x', 'l', 'p')) {
+ if (b - input_buffer >= input_len - 4)
+ break;
b += 4;
- size -= 4;
+ if (size) {
+ if (size < 4)
+ return AVERROR_INVALIDDATA;
+ size -= 4;
+ }
}
if (tag == MKTAG('j', 'x', 'l', 'c') || tag == MKTAG('j', 'x', 'l', 'p')) {
--
2.40.1
More information about the ffmpeg-devel
mailing list