[FFmpeg-devel] [PATCH] some length validation for mjpegdec
Reimar Döffinger
Reimar.Doeffinger
Fri Jul 23 19:07:26 CEST 2010
On Fri, Jul 23, 2010 at 06:56:43PM +0200, Stefano Sabatini wrote:
> On date Friday 2010-07-23 18:55:17 +0200, Reimar D?ffinger encoded:
> > Hello,
> > seems like in some places we might read far beyond the get_bits
> > buffer and crash.
> > Attached is an attempt to fix it.
> > Some of the existing code doing such checks could be simplify
> > by using get_bits_left, too.
> >
> > Reimar
>
> > Index: libavcodec/mjpegdec.c
> > ===================================================================
> > --- libavcodec/mjpegdec.c (revision 24435)
> > +++ libavcodec/mjpegdec.c (working copy)
> > @@ -118,6 +118,10 @@
> > int len, index, i, j;
> >
> > len = get_bits(&s->gb, 16) - 2;
> > + if (len > get_bits_left(&s->gb) >> 3) {
> > + av_log(s->avctx, AV_LOG_ERROR, "decode_dht: not enough data\n");
> > + return -1;
>
> AVERROR_INVALIDDATA
>
> here and below.
Completely pointless currently, the return value is not even passed on currently.
This should be fixed, but I think it will be more convenient to just
try to fix it in one go.
More information about the ffmpeg-devel
mailing list