[FFmpeg-cvslog] avcodec/mjpegdec: check len in mjpeg_decode_app() more completely
Michael Niedermayer
git at videolan.org
Wed Jan 8 01:27:51 CET 2014
ffmpeg | branch: release/2.1 | Michael Niedermayer <michaelni at gmx.at> | Fri Nov 22 16:51:07 2013 +0100| [d1a91958631754359566c73aaf9a296a0710796a] | committer: Michael Niedermayer
avcodec/mjpegdec: check len in mjpeg_decode_app() more completely
Avoids len from becoming negative and causing assertion failure
Fixes: signal_sigabrt_7ffff7126425_5140_fd44dc63fa7bdd12ee34fc602231ef02.jpg
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 6060234d43dcf0b5200cdd7dbd2f1542146827eb)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d1a91958631754359566c73aaf9a296a0710796a
---
libavcodec/mjpegdec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index f4e082f..398d758 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1444,7 +1444,7 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
int len, id, i;
len = get_bits(&s->gb, 16);
- if (len < 5)
+ if (len < 6)
return AVERROR_INVALIDDATA;
if (8 * len > get_bits_left(&s->gb))
return AVERROR_INVALIDDATA;
@@ -1558,7 +1558,7 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
}
/* EXIF metadata */
- if (s->start_code == APP1 && id == AV_RB32("Exif")) {
+ if (s->start_code == APP1 && id == AV_RB32("Exif") && len >= 2) {
GetByteContext gbytes;
int ret, le, ifd_offset, bytes_read;
const uint8_t *aligned;
More information about the ffmpeg-cvslog
mailing list