diff options
| author | Luca Barbato <lu_zero@gentoo.org> | 2013-05-17 13:08:55 +0200 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2013-05-31 23:00:30 +0200 |
| commit | 0af5a774ebc96ae9018926dc8b276c7f39767e3e (patch) | |
| tree | 30d0c0f4d1d48024be8ade17d979026f5ccef009 | |
| parent | 582aec49892dd42eb8bab5d4837f656a4b821188 (diff) | |
| download | ffmpeg-0af5a774ebc96ae9018926dc8b276c7f39767e3e.tar.gz | |
jpegls: check the scan offset
Prevent an out of array bound write.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit abad374909e6416e941351094f4f1446a71f8d23)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/jpeglsdec.c
| -rw-r--r-- | libavcodec/jpeglsdec.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 15bf962900..f851ec0420 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -289,6 +289,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor av_dlog(s->avctx, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan); if(ilv == 0) { /* separate planes */ + if (s->cur_scan > s->nb_components) { + ret = AVERROR_INVALIDDATA; + goto end; + } off = s->cur_scan - 1; stride = (s->nb_components > 1) ? 3 : 1; width = s->width * stride; |