Chiebot-Mirror
/
FFmpeg
mirror of https://github.com/FFmpeg/FFmpeg.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

mjpeg: Check the unescaped size for overflows

Browse Source 
And contextually check init_get_bits success and fix the reporting
message.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
pull/26/head
Luca Barbato 12 years ago
parent 7520d9779c
commit 6765ee7b9c
1 changed files with 7 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 10
      libavcodec/mjpegdec.c

10
libavcodec/mjpegdec.c
Unescape View File

@ -1472,8 +1472,9 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
/* EOF */ /* EOF */
if (start_code < 0) { if (start_code < 0) {
goto the_end; goto the_end;
} else if (unescaped_buf_size > (1U<<29)) { } else if (unescaped_buf_size > INT_MAX / 8) {
av_log(avctx, AV_LOG_ERROR, "MJPEG packet 0x%x too big (0x%x/0x%x), corrupt data?\n", av_log(avctx, AV_LOG_ERROR,
"MJPEG packet 0x%x too big (%d/%d), corrupt data?\n",
start_code, unescaped_buf_size, buf_size); start_code, unescaped_buf_size, buf_size);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
@ -1481,7 +1482,10 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
av_log(avctx, AV_LOG_DEBUG, "marker=%x avail_size_in_buf=%td\n", av_log(avctx, AV_LOG_DEBUG, "marker=%x avail_size_in_buf=%td\n",
start_code, buf_end - buf_ptr); start_code, buf_end - buf_ptr);
init_get_bits(&s->gb, unescaped_buf_ptr, unescaped_buf_size * 8); ret = init_get_bits(&s->gb, unescaped_buf_ptr,
unescaped_buf_size * 8);
if (ret < 0)
return ret;
s->start_code = start_code; s->start_code = start_code;
if (s->avctx->debug & FF_DEBUG_STARTCODE) if (s->avctx->debug & FF_DEBUG_STARTCODE)

Write Preview
Loading…
Cancel
Save