[FFmpeg-cvslog] mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac
Luca Barbato
git at videolan.org
Mon Jun 3 00:46:26 CEST 2013
ffmpeg | branch: release/1.1 | Luca Barbato <lu_zero at gentoo.org> | Wed May 15 18:41:41 2013 +0200| [aed12df7fe653c9eb0414cb612515ec321467bbc] | committer: Reinhard Tartler
mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac
Prevent out of buffer write when decoding broken samples.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit cfbd98abe82cfcb9984a18d08697251b72b110c8)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aed12df7fe653c9eb0414cb612515ec321467bbc
---
libavcodec/mjpegdec.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 9551850..d47fc2c 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -945,6 +945,11 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss,
int16_t *quant_matrix = s->quant_matrixes[s->quant_index[c]];
GetBitContext mb_bitmask_gb;
+ if (ss < 0 || ss >= 64 ||
+ se < ss || se >= 64 ||
+ Ah < 0 || Al < 0)
+ return AVERROR_INVALIDDATA;
+
if (mb_bitmask)
init_get_bits(&mb_bitmask_gb, mb_bitmask, s->mb_width * s->mb_height);
More information about the ffmpeg-cvslog
mailing list