RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Check index in mjpeg AC decode against overflowing. 

This fixes a possibly exploitable buffer overflow and it will likely also be needed for future overreading fixes.

Originally committed as revision 25546 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Michael Niedermayer 2010-10-21 22:44:44 +00:00
parent 5675a11f92
commit 2111a191eb
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libavcodec/mjpegdec.c
View File

@ -411,7 +411,7 @@ static int decode_block(MJpegDecodeContext *s, DCTELEM *block,
/* AC coefs */ /* AC coefs */
i = 0; i = 0;
{OPEN_READER(re, &s->gb) {OPEN_READER(re, &s->gb)
for(;;) { do {
UPDATE_CACHE(re, &s->gb); UPDATE_CACHE(re, &s->gb);
GET_VLC(code, re, &s->gb, s->vlcs[1][ac_index].table, 9, 2) GET_VLC(code, re, &s->gb, s->vlcs[1][ac_index].table, 9, 2)
@ -444,7 +444,7 @@ static int decode_block(MJpegDecodeContext *s, DCTELEM *block,
j = s->scantable.permutated[i]; j = s->scantable.permutated[i];
block[j] = level * quant_matrix[j]; block[j] = level * quant_matrix[j];
} }
} }while(i<63);
CLOSE_READER(re, &s->gb)} CLOSE_READER(re, &s->gb)}
return 0; return 0;
@ -511,6 +511,10 @@ static int decode_block_progressive(MJpegDecodeContext *s, DCTELEM *block, uint8
}else{ }else{
if(run == 0xF){// ZRL - skip 15 coefficients if(run == 0xF){// ZRL - skip 15 coefficients
i += 15; i += 15;
if (i >= se) {
av_log(s->avctx, AV_LOG_ERROR, "ZRL overflow: %d\n", i);
return -1;
}
}else{ }else{
val = (1 << run); val = (1 << run);
if(run){ if(run){