From 914ab4cd1c59eae10771f2d6a892ec6b6f36b0e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 May 2013 04:05:36 +0200 Subject: [PATCH] j2kdec & jpeg2000dec: check lengthinc against array size Fixes out of array reads Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/j2kdec.c | 4 +++- libavcodec/jpeg2000dec.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c index a02b84b820..f4b7e3e88b 100644 --- a/libavcodec/j2kdec.c +++ b/libavcodec/j2kdec.c @@ -577,7 +577,9 @@ static int decode_packet(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty, int xi; for (xi = band->prec[precno].xi0; xi < band->prec[precno].xi1; xi++){ Jpeg2000Cblk *cblk = band->cblk + yi * cblknw + xi; - if (bytestream2_get_bytes_left(&s->g) < cblk->lengthinc) + if ( bytestream2_get_bytes_left(&s->g) < cblk->lengthinc + || sizeof(cblk->data) < cblk->lengthinc + ) return AVERROR(EINVAL); bytestream2_get_bufferu(&s->g, cblk->data, cblk->lengthinc); cblk->length += cblk->lengthinc; diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 0735da12f0..3992515c70 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -643,7 +643,9 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, nb_code_blocks = prec->nb_codeblocks_height * prec->nb_codeblocks_width; for (cblkno = 0; cblkno < nb_code_blocks; cblkno++) { Jpeg2000Cblk *cblk = prec->cblk + cblkno; - if (bytestream2_get_bytes_left(&s->g) < cblk->lengthinc) + if ( bytestream2_get_bytes_left(&s->g) < cblk->lengthinc + || sizeof(cblk->data) < cblk->lengthinc + ) return AVERROR(EINVAL); /* Code-block data can be empty. In that case initialize data * with 0xFFFF. */