From dce778e0ea295db541e43b0850d3a7ef873996cc Mon Sep 17 00:00:00 2001 From: Zdenek Kabelac Date: Mon, 10 Feb 2003 10:45:41 +0000 Subject: [PATCH] * check for potentialy problematic field len Originally committed as revision 1572 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavcodec/mjpeg.c | 46 ++++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/libavcodec/mjpeg.c b/libavcodec/mjpeg.c index ab26ec7aa3..6595df25eb 100644 --- a/libavcodec/mjpeg.c +++ b/libavcodec/mjpeg.c @@ -1262,31 +1262,33 @@ out: static int mjpeg_decode_com(MJpegDecodeContext *s) { - int i; - UINT8 *cbuf; - /* XXX: verify len field validity */ - unsigned int len = get_bits(&s->gb, 16)-2; - cbuf = av_malloc(len+1); - - for (i = 0; i < len; i++) - cbuf[i] = get_bits(&s->gb, 8); - if (cbuf[i-1] == '\n') - cbuf[i-1] = 0; - else - cbuf[i] = 0; - - printf("mjpeg comment: '%s'\n", cbuf); + unsigned int len = get_bits(&s->gb, 16); + if (len >= 2 && len < 32768) { + /* XXX: any better upper bound */ + UINT8 *cbuf = av_malloc(len - 1); + if (cbuf) { + int i; + for (i = 0; i < len - 2; i++) + cbuf[i] = get_bits(&s->gb, 8); + if (i > 0 && cbuf[i-1] == '\n') + cbuf[i-1] = 0; + else + cbuf[i] = 0; + + printf("mjpeg comment: '%s'\n", cbuf); + + /* buggy avid, it puts EOI only at every 10th frame */ + if (!strcmp(cbuf, "AVID")) + { + s->buggy_avid = 1; + // if (s->first_picture) + // printf("mjpeg: workarounding buggy AVID\n"); + } - /* buggy avid, it puts EOI only at every 10th frame */ - if (!strcmp(cbuf, "AVID")) - { - s->buggy_avid = 1; -// if (s->first_picture) -// printf("mjpeg: workarounding buggy AVID\n"); + av_free(cbuf); + } } - - av_free(cbuf); return 0; }