diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2013-05-21 23:38:26 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2013-05-22 00:07:45 +0200 |
commit | c649ecb3b2321a8f48b6a6bca06e0156c8b38fc7 (patch) | |
tree | 2b74980dcdb5b2ff7ff0756871dc62376baa04d1 | |
parent | f98dbc7311a30a30802c71571ff5e3d049ea7556 (diff) | |
download | ffmpeg-c649ecb3b2321a8f48b6a6bca06e0156c8b38fc7.tar.gz |
avcodec/jpeg2000dec: get_qcx, fix stack and heap overwrites
This is likely remotely exploitable
Fix ported from j2kdec
No uptodate FFmpeg release should be affected by this
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavcodec/jpeg2000dec.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 60489be0a3..6fbbfb2505 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -353,7 +353,7 @@ static int get_qcx(Jpeg2000DecoderContext *s, int n, Jpeg2000QuantStyle *q) if (q->quantsty == JPEG2000_QSTY_NONE) { n -= 3; - if (s->buf_end - s->buf < n) + if (s->buf_end - s->buf < n || 32*3 < n) return AVERROR(EINVAL); for (i = 0; i < n; i++) q->expn[i] = bytestream_get_byte(&s->buf) >> 3; @@ -370,7 +370,7 @@ static int get_qcx(Jpeg2000DecoderContext *s, int n, Jpeg2000QuantStyle *q) } } else { n = (n - 3) >> 1; - if (s->buf_end - s->buf < n) + if (s->buf_end - s->buf < 2 * n || 32*3 < n) return AVERROR(EINVAL); for (i = 0; i < n; i++) { x = bytestream_get_be16(&s->buf); |