mjpeg: Detect overreads in mjpeg_decode_scan() and error out.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Ronald S. Bultje <rbultje@google.com> Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 0d9cba562b88899f0769e686d19b7953f589069b)
author: Michael Niedermayer <michaelni@gmx.at> 2011-04-21 22:03:24 +0200
committer: Reinhard Tartler <siretart@sandy.tauware.de> 2011-04-30 08:12:10 +0200
commit: 19166566418e48d13652a6c20468873108cfe955 (patch)
tree: c55800fcfde9df675cdf7fe8c64841db583a42cd
parent: b4eafa8b04802f45a710e712f2ec2676e0a77024 (diff)
download: ffmpeg-19166566418e48d13652a6c20468873108cfe955.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 7f57af905c..9f2f88b5de 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -792,6 +792,10 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i
             if (s->restart_interval && !s->restart_count)
                 s->restart_count = s->restart_interval;
 
+            if(get_bits_count(&s->gb)>s->gb.size_in_bits){
+                av_log(s->avctx, AV_LOG_ERROR, "overread %d\n", get_bits_count(&s->gb) - s->gb.size_in_bits);
+                return -1;
+            }
             for(i=0;i<nb_components;i++) {
                 uint8_t *ptr;
                 int n, h, v, x, y, c, j;
author	Michael Niedermayer <michaelni@gmx.at>	2011-04-21 22:03:24 +0200
committer	Reinhard Tartler <siretart@sandy.tauware.de>	2011-04-30 08:12:10 +0200
commit	19166566418e48d13652a6c20468873108cfe955 (patch)
tree	c55800fcfde9df675cdf7fe8c64841db583a42cd
parent	b4eafa8b04802f45a710e712f2ec2676e0a77024 (diff)
download	ffmpeg-19166566418e48d13652a6c20468873108cfe955.tar.gz