Check for out of bound reads in jpeg 2000 decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
pull/2/head
Laurent Aimar 13 years ago committed by Michael Niedermayer
parent 41b7389cad
commit 02660a8713
  1. 9
      libavcodec/j2kdec.c

@ -961,18 +961,20 @@ static int decode_codestream(J2kDecoderContext *s)
static int jp2_find_codestream(J2kDecoderContext *s) static int jp2_find_codestream(J2kDecoderContext *s)
{ {
int32_t atom_size; uint32_t atom_size;
int found_codestream = 0, search_range = 10; int found_codestream = 0, search_range = 10;
// skip jpeg2k signature atom // skip jpeg2k signature atom
s->buf += 12; s->buf += 12;
while(!found_codestream && search_range) { while(!found_codestream && search_range && s->buf_end - s->buf >= 8) {
atom_size = AV_RB32(s->buf); atom_size = AV_RB32(s->buf);
if(AV_RB32(s->buf + 4) == JP2_CODESTREAM) { if(AV_RB32(s->buf + 4) == JP2_CODESTREAM) {
found_codestream = 1; found_codestream = 1;
s->buf += 8; s->buf += 8;
} else { } else {
if (s->buf_end - s->buf < atom_size)
return 0;
s->buf += atom_size; s->buf += atom_size;
search_range--; search_range--;
} }
@ -1005,7 +1007,8 @@ static int decode_frame(AVCodecContext *avctx,
return AVERROR(EINVAL); return AVERROR(EINVAL);
// check if the image is in jp2 format // check if the image is in jp2 format
if((AV_RB32(s->buf) == 12) && (AV_RB32(s->buf + 4) == JP2_SIG_TYPE) && if(s->buf_end - s->buf >= 12 &&
(AV_RB32(s->buf) == 12) && (AV_RB32(s->buf + 4) == JP2_SIG_TYPE) &&
(AV_RB32(s->buf + 8) == JP2_SIG_VALUE)) { (AV_RB32(s->buf + 8) == JP2_SIG_VALUE)) {
if(!jp2_find_codestream(s)) { if(!jp2_find_codestream(s)) {
av_log(avctx, AV_LOG_ERROR, "couldn't find jpeg2k codestream atom\n"); av_log(avctx, AV_LOG_ERROR, "couldn't find jpeg2k codestream atom\n");

Loading…
Cancel
Save