[FFmpeg-cvslog] j2kdec & jpeg2000dec: check lengthinc against array size

Michael Niedermayer git at videolan.org
Wed May 22 04:21:58 CEST 2013


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Wed May 22 04:05:36 2013 +0200| [914ab4cd1c59eae10771f2d6a892ec6b6f36b0e2] | committer: Michael Niedermayer

j2kdec & jpeg2000dec: check lengthinc against array size

Fixes out of array reads

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=914ab4cd1c59eae10771f2d6a892ec6b6f36b0e2
---

 libavcodec/j2kdec.c      |    4 +++-
 libavcodec/jpeg2000dec.c |    4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c
index a02b84b..f4b7e3e 100644
--- a/libavcodec/j2kdec.c
+++ b/libavcodec/j2kdec.c
@@ -577,7 +577,9 @@ static int decode_packet(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty,
             int xi;
             for (xi = band->prec[precno].xi0; xi < band->prec[precno].xi1; xi++){
                 Jpeg2000Cblk *cblk = band->cblk + yi * cblknw + xi;
-                if (bytestream2_get_bytes_left(&s->g) < cblk->lengthinc)
+                if (   bytestream2_get_bytes_left(&s->g) < cblk->lengthinc
+                    || sizeof(cblk->data) < cblk->lengthinc
+                )
                     return AVERROR(EINVAL);
                 bytestream2_get_bufferu(&s->g, cblk->data, cblk->lengthinc);
                 cblk->length += cblk->lengthinc;
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 0735da1..3992515 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -643,7 +643,9 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s,
         nb_code_blocks = prec->nb_codeblocks_height * prec->nb_codeblocks_width;
         for (cblkno = 0; cblkno < nb_code_blocks; cblkno++) {
             Jpeg2000Cblk *cblk = prec->cblk + cblkno;
-            if (bytestream2_get_bytes_left(&s->g) < cblk->lengthinc)
+            if (   bytestream2_get_bytes_left(&s->g) < cblk->lengthinc
+                || sizeof(cblk->data) < cblk->lengthinc
+            )
                 return AVERROR(EINVAL);
             /* Code-block data can be empty. In that case initialize data
              * with 0xFFFF. */



More information about the ffmpeg-cvslog mailing list