aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZdenek Kabelac <kabi@informatics.muni.cz>2003-02-10 10:45:41 +0000
committerZdenek Kabelac <kabi@informatics.muni.cz>2003-02-10 10:45:41 +0000
commitdce778e0ea295db541e43b0850d3a7ef873996cc (patch)
tree9e3d35602b79dc7b615d16a94990563bcfb13d02
parentb29f97d1363dee7fe0019bfb9de4fdc35f11890a (diff)
downloadffmpeg-dce778e0ea295db541e43b0850d3a7ef873996cc.tar.gz
* check for potentialy problematic field len
Originally committed as revision 1572 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r--libavcodec/mjpeg.c46
1 files changed, 24 insertions, 22 deletions
diff --git a/libavcodec/mjpeg.c b/libavcodec/mjpeg.c
index ab26ec7aa3..6595df25eb 100644
--- a/libavcodec/mjpeg.c
+++ b/libavcodec/mjpeg.c
@@ -1262,31 +1262,33 @@ out:
static int mjpeg_decode_com(MJpegDecodeContext *s)
{
- int i;
- UINT8 *cbuf;
-
/* XXX: verify len field validity */
- unsigned int len = get_bits(&s->gb, 16)-2;
- cbuf = av_malloc(len+1);
-
- for (i = 0; i < len; i++)
- cbuf[i] = get_bits(&s->gb, 8);
- if (cbuf[i-1] == '\n')
- cbuf[i-1] = 0;
- else
- cbuf[i] = 0;
-
- printf("mjpeg comment: '%s'\n", cbuf);
+ unsigned int len = get_bits(&s->gb, 16);
+ if (len >= 2 && len < 32768) {
+ /* XXX: any better upper bound */
+ UINT8 *cbuf = av_malloc(len - 1);
+ if (cbuf) {
+ int i;
+ for (i = 0; i < len - 2; i++)
+ cbuf[i] = get_bits(&s->gb, 8);
+ if (i > 0 && cbuf[i-1] == '\n')
+ cbuf[i-1] = 0;
+ else
+ cbuf[i] = 0;
+
+ printf("mjpeg comment: '%s'\n", cbuf);
+
+ /* buggy avid, it puts EOI only at every 10th frame */
+ if (!strcmp(cbuf, "AVID"))
+ {
+ s->buggy_avid = 1;
+ // if (s->first_picture)
+ // printf("mjpeg: workarounding buggy AVID\n");
+ }
- /* buggy avid, it puts EOI only at every 10th frame */
- if (!strcmp(cbuf, "AVID"))
- {
- s->buggy_avid = 1;
-// if (s->first_picture)
-// printf("mjpeg: workarounding buggy AVID\n");
+ av_free(cbuf);
+ }
}
-
- av_free(cbuf);
return 0;
}