jvdec: check that the video_size fits in the packet.

Prevents use of out of array data and fate failure. Found-by: durandal_1707 Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-07-03 12:32:26 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2012-07-03 12:38:03 +0200
commit: 114f82ee7e384ff80151fe6f4ed89d46c2f20419 (patch)
tree: 1f7650b626fb24f4aa1084b0ed14af209843bb5e
parent: 596814f9781772050c65bdd8add27445bc8374a4 (diff)
download: ffmpeg-114f82ee7e384ff80151fe6f4ed89d46c2f20419.tar.gz
2 files changed, 1 insertions, 2 deletions
diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c
index 4031fadf15..728b749896 100644
--- a/libavcodec/jvdec.c
+++ b/libavcodec/jvdec.c
@@ -143,7 +143,7 @@ static int decode_frame(AVCodecContext *avctx,
     buf += 5;
 
     if (video_size) {
-        if(video_size < 0) {
+        if(video_size < 0 || video_size > buf_size) {
             av_log(avctx, AV_LOG_ERROR, "video size %d invalid\n", video_size);
             return AVERROR_INVALIDDATA;
         }
diff --git a/tests/ref/fate/jv b/tests/ref/fate/jv
index 88b345c85b..b0a6008d93 100644
--- a/tests/ref/fate/jv
+++ b/tests/ref/fate/jv
@@ -6,4 +6,3 @@
 0,          5,          5,        1,   192000, 0xb8e331eb
 0,          6,          6,        1,   192000, 0xd35b2053
 0,          7,          7,        1,   192000, 0x01062188
-0,          8,          8,        1,   192000, 0xa3a73b87
author	Michael Niedermayer <michaelni@gmx.at>	2012-07-03 12:32:26 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2012-07-03 12:38:03 +0200
commit	114f82ee7e384ff80151fe6f4ed89d46c2f20419 (patch)
tree	1f7650b626fb24f4aa1084b0ed14af209843bb5e
parent	596814f9781772050c65bdd8add27445bc8374a4 (diff)
download	ffmpeg-114f82ee7e384ff80151fe6f4ed89d46c2f20419.tar.gz