[FFmpeg-devel] [PATCH]lavc/jpeg2000dec: Fix jp2 inner atom size used for overread checks

Carl Eugen Hoyos cehoyos at ag.or.at
Tue May 2 17:13:07 EEST 2017


Hi!

The atom2_size variable when reading the inner atoms of a jp2 header 
is not reduced after reading the first 64 bit of the atom, the 
variable is used later for several checks to avoid overreads.

Please comment, Carl Eugen
-------------- next part --------------
From 8519c62b141953ecbd47f4eb9572a54db29bfec3 Mon Sep 17 00:00:00 2001
From: Carl Eugen Hoyos <cehoyos at ag.or.at>
Date: Tue, 2 May 2017 16:09:11 +0200
Subject: [PATCH] lavc/jpeg2000dec: Fix jp2 inner atom size used for overread
 checks.

---
 libavcodec/jpeg2000dec.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index e9f5f51..ab814ca 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1982,6 +1982,7 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s)
                 atom2_end  = bytestream2_tell(&s->g) + atom2_size - 8;
                 if (atom2_size < 8 || atom2_end > atom_end || atom2_end < atom2_size)
                     break;
+                atom2_size -= 8;
                 if (atom2 == JP2_CODESTREAM) {
                     return 1;
                 } else if (atom2 == MKBETAG('c','o','l','r') && atom2_size >= 7) {
-- 
1.7.10.4



More information about the ffmpeg-devel mailing list