[FFmpeg-cvslog] mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac
Luca Barbato
git at videolan.org
Tue May 21 12:01:46 CEST 2013
ffmpeg | branch: master | Luca Barbato <lu_zero at gentoo.org> | Wed May 15 18:41:41 2013 +0200| [cfbd98abe82cfcb9984a18d08697251b72b110c8] | committer: Luca Barbato
mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac
Prevent out of buffer write when decoding broken samples.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cfbd98abe82cfcb9984a18d08697251b72b110c8
---
libavcodec/mjpegdec.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 896fa99..934d1a2 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -941,6 +941,11 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss,
int16_t *quant_matrix = s->quant_matrixes[s->quant_index[c]];
GetBitContext mb_bitmask_gb;
+ if (ss < 0 || ss >= 64 ||
+ se < ss || se >= 64 ||
+ Ah < 0 || Al < 0)
+ return AVERROR_INVALIDDATA;
+
if (mb_bitmask)
init_get_bits(&mb_bitmask_gb, mb_bitmask, s->mb_width * s->mb_height);
More information about the ffmpeg-cvslog
mailing list