RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

avcodec/mjpegdec: check len in mjpeg_decode_app() more completely 

Avoids len from becoming negative and causing assertion failure

Fixes: signal_sigabrt_7ffff7126425_5140_fd44dc63fa7bdd12ee34fc602231ef02.jpg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2013-11-22 16:51:07 +01:00
parent ba992711f7
commit 6060234d43
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/mjpegdec.c
View File

@ -1443,7 +1443,7 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
int len, id, i; int len, id, i;
len = get_bits(&s->gb, 16); len = get_bits(&s->gb, 16);
if (len < 5) if (len < 6)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
if (8 * len > get_bits_left(&s->gb)) if (8 * len > get_bits_left(&s->gb))
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
@ -1557,7 +1557,7 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
} }
/* EXIF metadata */ /* EXIF metadata */
if (s->start_code == APP1 && id == AV_RB32("Exif")) { if (s->start_code == APP1 && id == AV_RB32("Exif") && len >= 2) {
GetByteContext gbytes; GetByteContext gbytes;
int ret, le, ifd_offset, bytes_read; int ret, le, ifd_offset, bytes_read;
const uint8_t *aligned; const uint8_t *aligned;