virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-15 14:13:16 +02:00
Code Issues Releases Activity

mjpeg: Check the unescaped size for overflows

Browse Source 
And contextually check init_get_bits success and fix the reporting
message.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
This commit is contained in:
Luca Barbato
2013-06-29 06:07:57 +02:00
parent 7520d9779c
commit 6765ee7b9c
1 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
libavcodec/mjpegdec.c
View File

@@ -1472,8 +1472,9 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
/* EOF */ /* EOF */
if (start_code < 0) { if (start_code < 0) {
goto the_end; goto the_end;
} else if (unescaped_buf_size > (1U<<29)) { } else if (unescaped_buf_size > INT_MAX / 8) {
av_log(avctx, AV_LOG_ERROR, "MJPEG packet 0x%x too big (0x%x/0x%x), corrupt data?\n", av_log(avctx, AV_LOG_ERROR,
"MJPEG packet 0x%x too big (%d/%d), corrupt data?\n",
start_code, unescaped_buf_size, buf_size); start_code, unescaped_buf_size, buf_size);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
@@ -1481,7 +1482,10 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
av_log(avctx, AV_LOG_DEBUG, "marker=%x avail_size_in_buf=%td\n", av_log(avctx, AV_LOG_DEBUG, "marker=%x avail_size_in_buf=%td\n",
start_code, buf_end - buf_ptr); start_code, buf_end - buf_ptr);
init_get_bits(&s->gb, unescaped_buf_ptr, unescaped_buf_size * 8); ret = init_get_bits(&s->gb, unescaped_buf_ptr,
unescaped_buf_size * 8);
if (ret < 0)
return ret;
s->start_code = start_code; s->start_code = start_code;
if (s->avctx->debug & FF_DEBUG_STARTCODE) if (s->avctx->debug & FF_DEBUG_STARTCODE)