Chiebot-Mirror
/
FFmpeg
mirror of https://github.com/FFmpeg/FFmpeg.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Check index in mjpeg AC decode against overflowing.

Browse Source 
This fixes a possibly exploitable buffer overflow and it will likely also be needed for future overreading fixes.

Originally committed as revision 25546 to svn://svn.ffmpeg.org/ffmpeg/trunk
oldabi
Michael Niedermayer 14 years ago
parent 5675a11f92
commit 2111a191eb
1 changed files with 6 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      libavcodec/mjpegdec.c

8
libavcodec/mjpegdec.c
Unescape View File

@ -411,7 +411,7 @@ static int decode_block(MJpegDecodeContext *s, DCTELEM *block,
/* AC coefs */ /* AC coefs */
i = 0; i = 0;
{OPEN_READER(re, &s->gb) {OPEN_READER(re, &s->gb)
for(;;) { do {
UPDATE_CACHE(re, &s->gb); UPDATE_CACHE(re, &s->gb);
GET_VLC(code, re, &s->gb, s->vlcs[1][ac_index].table, 9, 2) GET_VLC(code, re, &s->gb, s->vlcs[1][ac_index].table, 9, 2)
@ -444,7 +444,7 @@ static int decode_block(MJpegDecodeContext *s, DCTELEM *block,
j = s->scantable.permutated[i]; j = s->scantable.permutated[i];
block[j] = level * quant_matrix[j]; block[j] = level * quant_matrix[j];
} }
} }while(i<63);
CLOSE_READER(re, &s->gb)} CLOSE_READER(re, &s->gb)}
return 0; return 0;
@ -511,6 +511,10 @@ static int decode_block_progressive(MJpegDecodeContext *s, DCTELEM *block, uint8
}else{ }else{
if(run == 0xF){// ZRL - skip 15 coefficients if(run == 0xF){// ZRL - skip 15 coefficients
i += 15; i += 15;
if (i >= se) {
av_log(s->avctx, AV_LOG_ERROR, "ZRL overflow: %d\n", i);
return -1;
}
}else{ }else{
val = (1 << run); val = (1 << run);
if(run){ if(run){

Write Preview
Loading…
Cancel
Save