jpegls: check the scan offset

Prevent an out of array bound write. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit abad374909e6416e941351094f4f1446a71f8d23) Signed-off-by: Reinhard Tartler <siretart@tauware.de> Conflicts: libavcodec/jpeglsdec.c
author: Luca Barbato <lu_zero@gentoo.org> 2013-05-17 13:08:55 +0200
committer: Reinhard Tartler <siretart@tauware.de> 2013-06-22 08:40:02 +0200
commit: d26bc6c6b69f8f87e51430234bbf4b22962e2b3f (patch)
tree: 55225c3511376b76375932bf33f6ff01738d6918
parent: ca4a25acf89b715f8f587c947be7145d637a67d1 (diff)
download: ffmpeg-d26bc6c6b69f8f87e51430234bbf4b22962e2b3f.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index 63bf5cff87..d234d73c33 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -286,6 +286,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor
 //    av_log(s->avctx, AV_LOG_DEBUG, "JPEG-LS params: %ix%i NEAR=%i MV=%i T(%i,%i,%i) RESET=%i, LIMIT=%i, qbpp=%i, RANGE=%i\n",s->width,s->height,state->near,state->maxval,state->T1,state->T2,state->T3,state->reset,state->limit,state->qbpp, state->range);
 //    av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan);
     if(ilv == 0) { /* separate planes */
+        if (s->cur_scan > s->nb_components) {
+            ret = AVERROR_INVALIDDATA;
+            goto end;
+        }
         off = s->cur_scan - 1;
         stride = (s->nb_components > 1) ? 3 : 1;
         width = s->width * stride;
author	Luca Barbato <lu_zero@gentoo.org>	2013-05-17 13:08:55 +0200
committer	Reinhard Tartler <siretart@tauware.de>	2013-06-22 08:40:02 +0200
commit	d26bc6c6b69f8f87e51430234bbf4b22962e2b3f (patch)
tree	55225c3511376b76375932bf33f6ff01738d6918
parent	ca4a25acf89b715f8f587c947be7145d637a67d1 (diff)
download	ffmpeg-d26bc6c6b69f8f87e51430234bbf4b22962e2b3f.tar.gz