|
|
|
@ -854,9 +854,9 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, |
|
|
|
|
if (s->restart_interval && !s->restart_count) |
|
|
|
|
s->restart_count = s->restart_interval; |
|
|
|
|
|
|
|
|
|
if (get_bits_count(&s->gb)>s->gb.size_in_bits) { |
|
|
|
|
if (get_bits_left(&s->gb) < 0) { |
|
|
|
|
av_log(s->avctx, AV_LOG_ERROR, "overread %d\n", |
|
|
|
|
get_bits_count(&s->gb) - s->gb.size_in_bits); |
|
|
|
|
-get_bits_left(&s->gb)); |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
for (i = 0; i < nb_components; i++) { |
|
|
|
@ -1147,7 +1147,7 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) |
|
|
|
|
len = get_bits(&s->gb, 16); |
|
|
|
|
if (len < 5) |
|
|
|
|
return -1; |
|
|
|
|
if (8 * len + get_bits_count(&s->gb) > s->gb.size_in_bits) |
|
|
|
|
if (8 * len > get_bits_left(&s->gb)) |
|
|
|
|
return -1; |
|
|
|
|
|
|
|
|
|
id = get_bits_long(&s->gb, 32); |
|
|
|
@ -1288,8 +1288,7 @@ out: |
|
|
|
|
static int mjpeg_decode_com(MJpegDecodeContext *s) |
|
|
|
|
{ |
|
|
|
|
int len = get_bits(&s->gb, 16); |
|
|
|
|
if (len >= 2 && |
|
|
|
|
8 * len - 16 + get_bits_count(&s->gb) <= s->gb.size_in_bits) { |
|
|
|
|
if (len >= 2 && 8 * len - 16 <= get_bits_left(&s->gb)) { |
|
|
|
|
char *cbuf = av_malloc(len - 1); |
|
|
|
|
if (cbuf) { |
|
|
|
|
int i; |
|
|
|
|