aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorReimar Döffinger <Reimar.Doeffinger@gmx.de>2009-05-24 09:03:45 +0000
committerReimar Döffinger <Reimar.Doeffinger@gmx.de>2009-05-24 09:03:45 +0000
commit8d857c543402911f46ad38b093ab9aaf5b9a9a18 (patch)
treeb3cc1f490c398d2baeceef00b9542b8d31a1da1b
parent0766291a669281f556d7a0b32e8a920650dd93db (diff)
downloadffmpeg-8d857c543402911f46ad38b093ab9aaf5b9a9a18.tar.gz
Add a few size checks when decoding rtjpeg blocks.
Might avoid crashes in unlikely cases, but mostly avoids ugly artefacts for partial frames. Originally committed as revision 18925 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r--libavcodec/rtjpeg.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/libavcodec/rtjpeg.c b/libavcodec/rtjpeg.c
index 2736807439..ec31656a09 100644
--- a/libavcodec/rtjpeg.c
+++ b/libavcodec/rtjpeg.c
@@ -55,6 +55,9 @@ static inline int get_block(GetBitContext *gb, DCTELEM *block, const uint8_t *sc
// number of non-zero coefficients
coeff = get_bits(gb, 6);
+ if (get_bits_count(gb) + (coeff << 1) >= gb->size_in_bits)
+ return 0;
+
// normally we would only need to clear the (63 - coeff) last values,
// but since we do not know where they are we just clear the whole block
memset(block, 0, 64 * sizeof(DCTELEM));
@@ -69,6 +72,8 @@ static inline int get_block(GetBitContext *gb, DCTELEM *block, const uint8_t *sc
// 4 bits per coefficient
ALIGN(4);
+ if (get_bits_count(gb) + (coeff << 2) >= gb->size_in_bits)
+ return 0;
while (coeff) {
ac = get_sbits(gb, 4);
if (ac == -8)
@@ -78,6 +83,8 @@ static inline int get_block(GetBitContext *gb, DCTELEM *block, const uint8_t *sc
// 8 bits per coefficient
ALIGN(8);
+ if (get_bits_count(gb) + (coeff << 3) >= gb->size_in_bits)
+ return 0;
while (coeff) {
ac = get_sbits(gb, 8);
PUT_COEFF(ac);