aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2013-05-21 23:38:26 +0200
committerMichael Niedermayer <michaelni@gmx.at>2013-05-22 00:07:45 +0200
commitc649ecb3b2321a8f48b6a6bca06e0156c8b38fc7 (patch)
tree2b74980dcdb5b2ff7ff0756871dc62376baa04d1
parentf98dbc7311a30a30802c71571ff5e3d049ea7556 (diff)
downloadffmpeg-c649ecb3b2321a8f48b6a6bca06e0156c8b38fc7.tar.gz
avcodec/jpeg2000dec: get_qcx, fix stack and heap overwrites
This is likely remotely exploitable Fix ported from j2kdec No uptodate FFmpeg release should be affected by this Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/jpeg2000dec.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 60489be0a3..6fbbfb2505 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -353,7 +353,7 @@ static int get_qcx(Jpeg2000DecoderContext *s, int n, Jpeg2000QuantStyle *q)
if (q->quantsty == JPEG2000_QSTY_NONE) {
n -= 3;
- if (s->buf_end - s->buf < n)
+ if (s->buf_end - s->buf < n || 32*3 < n)
return AVERROR(EINVAL);
for (i = 0; i < n; i++)
q->expn[i] = bytestream_get_byte(&s->buf) >> 3;
@@ -370,7 +370,7 @@ static int get_qcx(Jpeg2000DecoderContext *s, int n, Jpeg2000QuantStyle *q)
}
} else {
n = (n - 3) >> 1;
- if (s->buf_end - s->buf < n)
+ if (s->buf_end - s->buf < 2 * n || 32*3 < n)
return AVERROR(EINVAL);
for (i = 0; i < n; i++) {
x = bytestream_get_be16(&s->buf);