j2kdec & jpeg2000dec: check lengthinc against array size

Fixes out of array reads Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2024-12-23 12:43:46 +02:00 · 2013-05-22 04:05:36 +02:00 · 2013-05-22 04:05:36 +02:00 · 914ab4cd1c
commit 914ab4cd1c
parent 17e66c9ff4
2 changed files with 6 additions and 2 deletions
--- a/libavcodec/j2kdec.c
+++ b/libavcodec/j2kdec.c
@ -577,7 +577,9 @@ static int decode_packet(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty,
            int xi;
            for (xi = band->prec[precno].xi0; xi < band->prec[precno].xi1; xi++){
                Jpeg2000Cblk *cblk = band->cblk + yi * cblknw + xi;
-                if (bytestream2_get_bytes_left(&s->g) < cblk->lengthinc)
+                if (   bytestream2_get_bytes_left(&s->g) < cblk->lengthinc
+                    || sizeof(cblk->data) < cblk->lengthinc
+                )
                    return AVERROR(EINVAL);
                bytestream2_get_bufferu(&s->g, cblk->data, cblk->lengthinc);
                cblk->length += cblk->lengthinc;
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@ -643,7 +643,9 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s,
        nb_code_blocks = prec->nb_codeblocks_height * prec->nb_codeblocks_width;
        for (cblkno = 0; cblkno < nb_code_blocks; cblkno++) {
            Jpeg2000Cblk *cblk = prec->cblk + cblkno;
-            if (bytestream2_get_bytes_left(&s->g) < cblk->lengthinc)
+            if (   bytestream2_get_bytes_left(&s->g) < cblk->lengthinc
+                || sizeof(cblk->data) < cblk->lengthinc
+            )
                return AVERROR(EINVAL);
            /* Code-block data can be empty. In that case initialize data
             * with 0xFFFF. */