verify len field validity in mjpeg_decode_com()

Originally committed as revision 4451 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Michael Niedermayer <michaelni@gmx.at> 2005-07-17 11:27:00 +0000
committer: Michael Niedermayer <michaelni@gmx.at> 2005-07-17 11:27:00 +0000
commit: e33943728e775ef9f3239fe950f3be4fa405d1f2 (patch)
tree: bc0bfa71e140073a43c0136678e1e9ac898a7a50
parent: 1b51e051c0030d879c2ca390d9e520ce3a84ce8c (diff)
download: ffmpeg-e33943728e775ef9f3239fe950f3be4fa405d1f2.tar.gz
1 files changed, 1 insertions, 3 deletions
diff --git a/libavcodec/mjpeg.c b/libavcodec/mjpeg.c
index 58b5b97823..bfce40c4ad 100644
--- a/libavcodec/mjpeg.c
+++ b/libavcodec/mjpeg.c
@@ -1728,10 +1728,8 @@ out:
 
 static int mjpeg_decode_com(MJpegDecodeContext *s)
 {
-    /* XXX: verify len field validity */
     int len = get_bits(&s->gb, 16);
-    if (len >= 2 && len < 32768) {
-	/* XXX: any better upper bound */
+    if (len >= 2 && 8*len - 16 + get_bits_count(&s->gb) <= s->gb.size_in_bits) {
 	uint8_t *cbuf = av_malloc(len - 1);
 	if (cbuf) {
 	    int i;
author	Michael Niedermayer <michaelni@gmx.at>	2005-07-17 11:27:00 +0000
committer	Michael Niedermayer <michaelni@gmx.at>	2005-07-17 11:27:00 +0000
commit	e33943728e775ef9f3239fe950f3be4fa405d1f2 (patch)
tree	bc0bfa71e140073a43c0136678e1e9ac898a7a50
parent	1b51e051c0030d879c2ca390d9e520ce3a84ce8c (diff)
download	ffmpeg-e33943728e775ef9f3239fe950f3be4fa405d1f2.tar.gz